Prevent usernames in Chat mode of length 128 chars or more

This commit is contained in:
Miguel Jacq 2021-05-14 10:44:14 +10:00
parent b2d57ff787
commit 00473eaef6
No known key found for this signature in database
GPG Key ID: EEA4341C6D97A0B6
4 changed files with 58 additions and 13 deletions

View File

@ -88,7 +88,7 @@ var emitMessage = function (socket) {
var updateUsername = function (socket) { var updateUsername = function (socket) {
var username = $('#username').val(); var username = $('#username').val();
if (!checkUsernameExists(username)) { if (!checkUsernameExists(username) && !checkUsernameLength(username)) {
$.ajax({ $.ajax({
method: 'POST', method: 'POST',
url: `http://${document.domain}:${location.port}/update-session-username`, url: `http://${document.domain}:${location.port}/update-session-username`,
@ -133,6 +133,15 @@ var checkUsernameExists = function (username) {
return false; return false;
} }
var checkUsernameLength = function (username) {
$('#username-error').text('');
if (username.length > 128) {
$('#username-error').text('Please choose a shorter username.');
return true;
}
return false;
}
var getScrollDiffBefore = function () { var getScrollDiffBefore = function () {
return $('#chat').scrollTop() - ($('#chat')[0].scrollHeight - $('#chat')[0].offsetHeight); return $('#chat').scrollTop() - ($('#chat')[0].scrollHeight - $('#chat')[0].offsetHeight);
} }

View File

@ -23,6 +23,7 @@
<div class="chat-container no-js"> <div class="chat-container no-js">
<div class="chat-users"> <div class="chat-users">
<div class="editable-username"> <div class="editable-username">
<p>Your username:</p>
<input id="username" value="{{ username }}" /> <input id="username" value="{{ username }}" />
<p id="username-error"></p> <p id="username-error"></p>
</div> </div>
@ -43,4 +44,4 @@
<script async src="{{ static_url_path }}/js/chat.js"></script> <script async src="{{ static_url_path }}/js/chat.js"></script>
</body> </body>
</html> </html>

View File

@ -79,20 +79,33 @@ class ChatModeWeb:
if ( if (
data.get("username", "") data.get("username", "")
and data.get("username", "") not in self.connected_users and data.get("username", "") not in self.connected_users
and len(data.get("username", "")) < 128
): ):
session["name"] = data.get("username", session.get("name")) session["name"] = data.get("username", session.get("name"))
self.web.add_request( self.web.add_request(
request.path, request.path,
{"id": history_id, "status_code": 200}, {"id": history_id, "status_code": 200},
) )
self.web.add_request(self.web.REQUEST_LOAD, request.path) self.web.add_request(self.web.REQUEST_LOAD, request.path)
r = make_response( r = make_response(
jsonify( jsonify(
username=session.get("name"), username=session.get("name"),
success=True, success=True,
)
)
else:
self.web.add_request(
request.path,
{"id": history_id, "status_code": 403},
)
r = make_response(
jsonify(
username=session.get("name"),
success=False,
)
) )
)
return self.web.add_security_headers(r) return self.web.add_security_headers(r)
@self.web.socketio.on("joined", namespace="/chat") @self.web.socketio.on("joined", namespace="/chat")

View File

@ -47,6 +47,27 @@ class TestChat(GuiBaseTest):
self.assertTrue(jsonResponse["success"]) self.assertTrue(jsonResponse["success"])
self.assertEqual(jsonResponse["username"], "oniontest") self.assertEqual(jsonResponse["username"], "oniontest")
def change_username_too_long(self, tab):
"""Test that we can't set our username to something 128 chars or longer"""
url = f"http://127.0.0.1:{tab.app.port}/update-session-username"
bad_username = "sduBB9yEMkyQpwkMM4A9nUbQwNUbPU2PQuJYN26zCQ4inELpB76J5i5oRUnD3ESVaE9NNE8puAtBj2DiqDaZdVqhV8MonyxSSGHRv87YgM5dzwBYPBxttoQSKZAUkFjo"
data = {"username":bad_username}
if tab.settings.get("general", "public"):
r = requests.post(url, json=data)
else:
r = requests.post(
url,
json=data,
auth=requests.auth.HTTPBasicAuth(
"onionshare", tab.get_mode().server_status.web.password
),
)
QtTest.QTest.qWait(500, self.gui.qtapp)
jsonResponse = r.json()
self.assertFalse(jsonResponse["success"])
self.assertNotEqual(jsonResponse["username"], bad_username)
def run_all_chat_mode_tests(self, tab): def run_all_chat_mode_tests(self, tab):
"""Tests in chat mode after starting a chat""" """Tests in chat mode after starting a chat"""
self.server_working_on_start_button_pressed(tab) self.server_working_on_start_button_pressed(tab)
@ -60,6 +81,7 @@ class TestChat(GuiBaseTest):
self.server_status_indicator_says_started(tab) self.server_status_indicator_says_started(tab)
self.view_chat(tab) self.view_chat(tab)
self.change_username(tab) self.change_username(tab)
self.change_username_too_long(tab)
self.server_is_stopped(tab) self.server_is_stopped(tab)
self.web_server_is_stopped(tab) self.web_server_is_stopped(tab)
self.server_status_indicator_says_closed(tab) self.server_status_indicator_says_closed(tab)