Validate register usernames on the back-end. Fixes #716 (#750)

* Validate register usernames on the back-end. Fixes #716

* Changing name to is_valid_username

diff --git a/server/src/api/user.rs b/server/src/api/user.rs
index c2734f5124535af70539e2709fed56b70a0ee6a1..ee57723a1e6cb35888878b8c553d14343b39ea15 100644 (file)
--- a/server/src/api/user.rs
+++ b/server/src/api/user.rs
@@ -1,4 +1,5 @@
 use super::*;
+use crate::is_valid_username;
 use bcrypt::verify;
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -261,6 +262,10 @@ impl Perform for Oper<Register> {
       return Err(APIError::err("admin_already_created").into());
     }
 
+    if !is_valid_username(&data.username) {
+      return Err(APIError::err("invalid_username").into());
+    }
+
     // Register the new user
     let user_form = UserForm {
       name: data.username.to_owned(),

diff --git a/server/src/lib.rs b/server/src/lib.rs
index d1531d7e04e88d8eb5c4c1a40617dd680bc1fb60..ca4bedea7b09162ff79725053c40d2b89a9510c6 100644 (file)
--- a/server/src/lib.rs
+++ b/server/src/lib.rs
@@ -269,11 +269,15 @@ pub fn get_ip(conn_info: &ConnectionInfo) -> String {
     .to_string()
 }
 
+pub fn is_valid_username(name: &str) -> bool {
+  VALID_USERNAME_REGEX.is_match(name)
+}
+
 #[cfg(test)]
 mod tests {
   use crate::{
-    extract_usernames, is_email_regex, is_image_content_type, remove_slurs, slur_check,
-    slurs_vec_to_str,
+    extract_usernames, is_email_regex, is_image_content_type, is_valid_username, remove_slurs,
+    slur_check, slurs_vec_to_str,
   };
 
   #[test]
@@ -291,6 +295,15 @@ mod tests {
     assert!(!is_email_regex("nada_neutho"));
   }
 
+  #[test]
+  fn test_valid_register_username() {
+    assert!(is_valid_username("Hello_98"));
+    assert!(is_valid_username("ten"));
+    assert!(!is_valid_username("Hello-98"));
+    assert!(!is_valid_username("a"));
+    assert!(!is_valid_username(""));
+  }
+
   #[test]
   fn test_slur_filter() {
     let test =
@@ -352,4 +365,5 @@ lazy_static! {
   static ref EMAIL_REGEX: Regex = Regex::new(r"^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$").unwrap();
   static ref SLUR_REGEX: Regex = RegexBuilder::new(r"(fag(g|got|tard)?|maricos?|cock\s?sucker(s|ing)?|nig(\b|g?(a|er)?(s|z)?)\b|dindu(s?)|mudslime?s?|kikes?|mongoloids?|towel\s*heads?|\bspi(c|k)s?\b|\bchinks?|niglets?|beaners?|\bnips?\b|\bcoons?\b|jungle\s*bunn(y|ies?)|jigg?aboo?s?|\bpakis?\b|rag\s*heads?|gooks?|cunts?|bitch(es|ing|y)?|puss(y|ies?)|twats?|feminazis?|whor(es?|ing)|\bslut(s|t?y)?|\btrann?(y|ies?)|ladyboy(s?)|\b(b|re|r)tard(ed)?s?)").case_insensitive(true).build().unwrap();
   static ref USERNAME_MATCHES_REGEX: Regex = Regex::new(r"/u/[a-zA-Z][0-9a-zA-Z_]*").unwrap();
+  static ref VALID_USERNAME_REGEX: Regex = Regex::new(r"^[a-zA-Z0-9_]{3,20}$").unwrap();
 }

diff --git a/ui/translations/en.json b/ui/translations/en.json
index 703bdaec12cdb0051c7a6281f305a51ac3dca4af..ff28a3cf4e50690302ae4cff6f32c056df4ca476 100644 (file)
--- a/ui/translations/en.json
+++ b/ui/translations/en.json
@@ -249,6 +249,7 @@
       "Couldn't find that username or email.",
     "password_incorrect": "Password incorrect.",
     "passwords_dont_match": "Passwords do not match.",
+    "invalid_username": "Invalid username.",
     "admin_already_created": "Sorry, there's already an admin.",
     "user_already_exists": "User already exists.",
     "email_already_exists": "Email already exists.",