Add prevention for user name contains link

StevenWeathers · Oct 15, 2024 · 9721791 · 9721791
1 parent 4beded2
commit 9721791
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 0 deletions.
diff --git a/internal/http/auth.go b/internal/http/auth.go
@@ -348,6 +348,12 @@ func (s *Service) handleCreateGuestUser() http.HandlerFunc {
 			return
 		}
 
+		invalidUsername := containsLink(u.Name)
+		if invalidUsername {
+			s.Failure(w, r, http.StatusBadRequest, Errorf(EINVALID, "INVALID_USERNAME"))
+			return
+		}
+
 		newUser, err := s.UserDataSvc.CreateUserGuest(ctx, u.Name)
 		if err != nil {
 			s.Logger.Ctx(ctx).Error("handleCreateGuestUser error", zap.Error(err),
@@ -413,6 +419,12 @@ func (s *Service) handleUserRegistration() http.HandlerFunc {
 			return
 		}
 
+		invalidUsername := containsLink(u.Name)
+		if invalidUsername {
+			s.Failure(w, r, http.StatusBadRequest, Errorf(EINVALID, "INVALID_USERNAME"))
+			return
+		}
+
 		activeUserID, _ := s.Cookie.ValidateUserCookie(w, r)
 
 		userName, userEmail, userPassword, accountErr := validateUserAccountWithPasswords(

diff --git a/internal/http/user.go b/internal/http/user.go
@@ -141,6 +141,12 @@ func (s *Service) handleUserProfileUpdate() http.HandlerFunc {
 			return
 		}
 
+		invalidUsername := containsLink(profile.Name)
+		if invalidUsername {
+			s.Failure(w, r, http.StatusBadRequest, Errorf(EINVALID, "INVALID_USERNAME"))
+			return
+		}
+
 		if sessionUserType == thunderdome.AdminUserType {
 			_, _, vErr := validateUserAccount(profile.Name, profile.Email)
 			if vErr != nil {

diff --git a/internal/http/util.go b/internal/http/util.go
@@ -9,6 +9,7 @@ import (
 	"html/template"
 	"io/fs"
 	"net/http"
+	"regexp"
 	"strconv"
 	"strings"
 
@@ -373,3 +374,12 @@ func retroTemplateBuildFormatFromRequest(requestFormat retroTemplateFormatReques
 
 	return tf
 }
+
+// containsLink checks if the input string contains a link
+func containsLink(input string) bool {
+	urlPattern := `((http|https):\/\/[a-zA-Z0-9\-._~:/?#[\]@!$&'()*+,;=]+)`
+
+	re := regexp.MustCompile(urlPattern)
+
+	return re.MatchString(input)
+}
diff --git a/internal/http/util_test.go b/internal/http/util_test.go
@@ -331,3 +331,36 @@ func TestSanitizeUserInputForLogs(t *testing.T) {
 		})
 	}
 }
+
+func TestContainsLink(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{
+			name:     "Contains URL",
+			input:    "Visit https://example.com",
+			expected: true,
+		},
+		{
+			name:     "Invalid URL format",
+			input:    "This is not a URL: http:/example.com",
+			expected: false,
+		},
+		{
+			name:     "Contains Complex URL",
+			input:    "Check out https://sub.example.com:8080/path?query=value#fragment",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := containsLink(tt.input)
+			if result != tt.expected {
+				t.Errorf("containsLink(%q) = %v, want %v", tt.input, result, tt.expected)
+			}
+		})
+	}
+}