From 2dd98a368b719e85644c7cd901694ac38393d808 Mon Sep 17 00:00:00 2001
From: Hage Yaapa <hage.yaapa@in.ibm.com>
Date: Wed, 29 May 2019 20:24:29 +0530
Subject: [PATCH] fix: disallow queries in username and email fields

Username and email fields should not allow queries.
---
 common/models/user.js | 33 +++++++++++++++++++++++++++------
 test/user.test.js     | 31 +++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+), 6 deletions(-)

diff --git a/common/models/user.js b/common/models/user.js
index dca6a3c0..73bbda79 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -208,12 +208,20 @@ module.exports = function(User) {
     var query = self.normalizeCredentials(credentials, realmRequired,
       realmDelimiter);
 
-    if (realmRequired && !query.realm) {
-      var err1 = new Error(g.f('{{realm}} is required'));
-      err1.statusCode = 400;
-      err1.code = 'REALM_REQUIRED';
-      fn(err1);
-      return fn.promise;
+    if (realmRequired) {
+      if (!query.realm) {
+        var err1 = new Error(g.f('{{realm}} is required'));
+        err1.statusCode = 400;
+        err1.code = 'REALM_REQUIRED';
+        fn(err1);
+        return fn.promise;
+      } else if (typeof query.realm !== 'string') {
+        var err5 = new Error(g.f('Invalid realm'));
+        err5.statusCode = 400;
+        err5.code = 'INVALID_REALM';
+        fn(err5);
+        return fn.promise;
+      }
     }
     if (!query.email && !query.username) {
       var err2 = new Error(g.f('{{username}} or {{email}} is required'));
@@ -222,6 +230,19 @@ module.exports = function(User) {
       fn(err2);
       return fn.promise;
     }
+    if (query.username && typeof query.username !== 'string') {
+      var err3 = new Error(g.f('Invalid username'));
+      err3.statusCode = 400;
+      err3.code = 'INVALID_USERNAME';
+      fn(err3);
+      return fn.promise;
+    } else if (query.email && typeof query.email !== 'string') {
+      var err4 = new Error(g.f('Invalid email'));
+      err4.statusCode = 400;
+      err4.code = 'INVALID_EMAIL';
+      fn(err4);
+      return fn.promise;
+    }
 
     self.findOne({where: query}, function(err, user) {
       var defaultError = new Error(g.f('login failed'));
diff --git a/test/user.test.js b/test/user.test.js
index 4d7f2bfc..f562fef0 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -555,6 +555,37 @@ describe('User', function() {
       });
     });
 
+    it('should not allow queries in email field', function(done) {
+      User.login({email: {'neq': 'x'}, password: 'x'}, function(err, accessToken) {
+        assert(err);
+        assert.equal(err.code, 'INVALID_EMAIL');
+        assert(!accessToken);
+
+        done();
+      });
+    });
+
+    it('should not allow queries in username field', function(done) {
+      User.login({username: {'neq': 'x'}, password: 'x'}, function(err, accessToken) {
+        assert(err);
+        assert.equal(err.code, 'INVALID_USERNAME');
+        assert(!accessToken);
+
+        done();
+      });
+    });
+
+    it('should not allow queries in realm field', function(done) {
+      User.settings.realmRequired = true;
+      User.login({username: 'x', password: 'x', realm: {'neq': 'x'}}, function(err, accessToken) {
+        assert(err);
+        assert.equal(err.code, 'INVALID_REALM');
+        assert(!accessToken);
+
+        done();
+      });
+    });
+
     it('Login a user by providing credentials with TTL', function(done) {
       User.login(validCredentialsWithTTL, function(err, accessToken) {
         assert(accessToken.userId);