A bit more restrictive for allowed names

3 years ago · 9c67c60c5a
2 changed files with 46 additions and 5 deletions
--- a/server/add_user.go
+++ b/server/add_user.go
@ -6,14 +6,17 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"regexp"

 	"git.sindominio.net/sindominio/lowry/ldap"
 	"github.com/gorilla/mux"
 )

-func getReservedNames() map[string]bool {
+var (
+	validName = regexp.MustCompile(`^[a-z0-9][a-z0-9_\-]*$`)
+
 	// See https://ldpreload.com/blog/names-to-reserve
-	return map[string]bool{
+	reservedNames = map[string]bool{
 		"abuse":                  true,
 		"admin":                  true,
 		"administrator":          true,
@ -59,7 +62,7 @@ func getReservedNames() map[string]bool {
 		"wpad":                   true,
 		".well-known":            true,
 	}
-}
+)

 func (s *server) listInvitesHandler(w http.ResponseWriter, r *http.Request) {
 	response := s.newResponse("invites", w, r)
@ -155,8 +158,8 @@ func (s *server) addUserHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if getReservedNames()[name] {
-		log.Println("Can't create user ", name, ": name is reserved")
+	if !validUserName(name) {
+		log.Println("Can't create user ", name, ": invalid name")
 		response.execute("exists")
 		return
 	}
@ -210,3 +213,14 @@ func (s *server) addUserHandler(w http.ResponseWriter, r *http.Request) {
 	response = s.newResponse("adduser_success", w, r)
 	response.execute("name")
 }
+
+func validUserName(name string) bool {
+	if len(name) < 3 {
+		return false
+	}
+	if reservedNames[name] {
+		return false
+	}
+
+	return validName.MatchString(name)
+}
--- a/server/add_user_test.go
+++ b/server/add_user_test.go
@ -0,0 +1,27 @@
+package server
+
+import (
+	"testing"
+)
+
+func TestValidUserName(t *testing.T) {
+	if validUserName("a") {
+		t.Errorf("Got valid user for single char user")
+	}
+	if validUserName("bo") {
+		t.Errorf("Got valid user for less than 3 char user")
+	}
+	if validUserName("-aaksjkj") {
+		t.Errorf("Got valid user for a user that starts with '-'")
+	}
+	if validUserName("_zoz") {
+		t.Errorf("Got valid user for a user that starts with '_'")
+	}
+	if validUserName("76aa+o") {
+		t.Errorf("Got valid user for a user that contains '+'")
+	}
+
+	if !validUserName("name") {
+		t.Errorf("Got invalid user for a good name")
+	}
+}