Merge pull request #1 from AntoniaBK/patch-1

Fix: validate username
2024-05-02 13:30:34 +02:00 · 2024-05-02 13:30:34 +02:00 · 1ea95a6362
parent 00e331ec5a db0a11185a
commit 1ea95a6362
2 changed files with 12 additions and 8 deletions
--- a/website/web/init.py
+++ b/website/web/init.py
@ -53,7 +53,7 @@ else:
    all_timezones_set = available_timezones()

 from .genericapi import api as generic_api
-from .helpers import (User, build_users_table, get_secret_key,
+from .helpers import (User, valid_username, build_users_table, get_secret_key,
                      load_user_from_request, src_request_ip, sri_load,
                      get_lookyloo_instance)
 from .proxied import ReverseProxied
@ -107,6 +107,9 @@ def login() -> WerkzeugResponse | str | Response:
               '''

    username = request.form['username']
+    if not valid_username(username):
+        flash('User is not permitted.', 'error')
+        return redirect(url_for('login'))
    users_table = build_users_table()
    if username in users_table and check_password_hash(users_table[username]['password'], request.form['password']):
        user = User()
@ -1636,14 +1639,13 @@ def capture_web() -> str | Response | WerkzeugResponse:
@app.route('/simple_capture', methods=['GET','POST'])
@flask_login.login_required  # type: ignore[misc]
 def simple_capture() -> str | Response | WerkzeugResponse:
-    if flask_login.current_user.is_authenticated:
-        user = flask_login.current_user.get_id()
-    else:
-        user = src_request_ip(request)
+    user = flask_login.current_user.get_id()
+    if not re.match("^[A-Za-z0-9]+$", user):
+        # Username has been manipulated
+        flash('User is not permitted.', 'error')
+        return redirect(url_for('submit_capture'))
+      
    if request.method == 'POST':
-        if not re.match("^[A-Za-z]+$", user):
-            flash('User is not permitted.', 'error')
-            return redirect(url_for('simple_capture'))
        if not (request.form.get('url') or request.form.get('urls')):
            flash('Invalid submission: please submit at least a URL.', 'error')
            return render_template('simple_capture.html')
--- a/website/web/helpers.py
+++ b/website/web/helpers.py
@ -49,6 +49,8 @@ def load_user_from_request(request: Request) -> User | None:
        return user
    return None

+def valid_username(username: str) -> bool:
+  return re.match("^[A-Za-z0-9]+$", username)

@lru_cache(64)
 def build_keys_table() -> dict[str, str]: