Prevent usernames in Chat mode of length 128 chars or more

2025-01-24 13:41:14 -05:00 · 2021-05-14 10:44:14 +10:00 · 2021-05-14 10:44:14 +10:00 · 00473eaef6
commit 00473eaef6
parent b2d57ff787
4 changed files with 58 additions and 13 deletions
--- a/cli/onionshare_cli/resources/static/js/chat.js
+++ b/cli/onionshare_cli/resources/static/js/chat.js
@ -88,7 +88,7 @@ var emitMessage = function (socket) {

 var updateUsername = function (socket) {
  var username = $('#username').val();
-  if (!checkUsernameExists(username)) {
+  if (!checkUsernameExists(username) && !checkUsernameLength(username)) {
    $.ajax({
      method: 'POST',
      url: `http://${document.domain}:${location.port}/update-session-username`,
@ -133,6 +133,15 @@ var checkUsernameExists = function (username) {
  return false;
 }

+var checkUsernameLength = function (username) {
+  $('#username-error').text('');
+  if (username.length > 128) {
+    $('#username-error').text('Please choose a shorter username.');
+    return true;
+  }
+  return false;
+}
+
 var getScrollDiffBefore = function () {
  return $('#chat').scrollTop() - ($('#chat')[0].scrollHeight - $('#chat')[0].offsetHeight);
 }
--- a/cli/onionshare_cli/resources/templates/chat.html
+++ b/cli/onionshare_cli/resources/templates/chat.html
@ -23,6 +23,7 @@
  <div class="chat-container no-js">
    <div class="chat-users">
      <div class="editable-username">
+        <p>Your username:</p>
        <input id="username" value="{{ username }}" />
        <p id="username-error"></p>
      </div>
@ -43,4 +44,4 @@
  <script async src="{{ static_url_path }}/js/chat.js"></script>
 </body>

-</html>
+</html>
--- a/cli/onionshare_cli/web/chat_mode.py
+++ b/cli/onionshare_cli/web/chat_mode.py
@ -79,20 +79,33 @@ class ChatModeWeb:
            if (
                data.get("username", "")
                and data.get("username", "") not in self.connected_users
+                and len(data.get("username", "")) < 128
            ):
                session["name"] = data.get("username", session.get("name"))
-            self.web.add_request(
-                request.path,
-                {"id": history_id, "status_code": 200},
-            )
-
-            self.web.add_request(self.web.REQUEST_LOAD, request.path)
-            r = make_response(
-                jsonify(
-                    username=session.get("name"),
-                    success=True,
+                self.web.add_request(
+                    request.path,
+                    {"id": history_id, "status_code": 200},
+                )
+
+                self.web.add_request(self.web.REQUEST_LOAD, request.path)
+                r = make_response(
+                    jsonify(
+                        username=session.get("name"),
+                        success=True,
+                    )
+                )
+            else:
+                self.web.add_request(
+                    request.path,
+                    {"id": history_id, "status_code": 403},
+                )
+
+                r = make_response(
+                    jsonify(
+                        username=session.get("name"),
+                        success=False,
+                    )
                )
-            )
            return self.web.add_security_headers(r)

        @self.web.socketio.on("joined", namespace="/chat")
--- a/desktop/tests/test_gui_chat.py
+++ b/desktop/tests/test_gui_chat.py
@ -47,6 +47,27 @@ class TestChat(GuiBaseTest):
        self.assertTrue(jsonResponse["success"])
        self.assertEqual(jsonResponse["username"], "oniontest")

+    def change_username_too_long(self, tab):
+        """Test that we can't set our username to something 128 chars or longer"""
+        url = f"http://127.0.0.1:{tab.app.port}/update-session-username"
+        bad_username = "sduBB9yEMkyQpwkMM4A9nUbQwNUbPU2PQuJYN26zCQ4inELpB76J5i5oRUnD3ESVaE9NNE8puAtBj2DiqDaZdVqhV8MonyxSSGHRv87YgM5dzwBYPBxttoQSKZAUkFjo"
+        data = {"username":bad_username}
+        if tab.settings.get("general", "public"):
+            r = requests.post(url, json=data)
+        else:
+            r = requests.post(
+                url,
+                json=data,
+                auth=requests.auth.HTTPBasicAuth(
+                    "onionshare", tab.get_mode().server_status.web.password
+                ),
+            )
+
+        QtTest.QTest.qWait(500, self.gui.qtapp)
+        jsonResponse = r.json()
+        self.assertFalse(jsonResponse["success"])
+        self.assertNotEqual(jsonResponse["username"], bad_username)
+
    def run_all_chat_mode_tests(self, tab):
        """Tests in chat mode after starting a chat"""
        self.server_working_on_start_button_pressed(tab)
@ -60,6 +81,7 @@ class TestChat(GuiBaseTest):
        self.server_status_indicator_says_started(tab)
        self.view_chat(tab)
        self.change_username(tab)
+        self.change_username_too_long(tab)
        self.server_is_stopped(tab)
        self.web_server_is_stopped(tab)
        self.server_status_indicator_says_closed(tab)