fix: disallow queries in username and email fields

Username and email fields should not allow queries.
2019-05-29 20:24:29 +05:30 · 2019-05-29 20:24:29 +05:30 · 2dd98a368b
parent a3619df4b5
commit 2dd98a368b
2 changed files with 58 additions and 6 deletions
--- a/common/models/user.js
+++ b/common/models/user.js
@ -208,12 +208,20 @@ module.exports = function(User) {
    var query = self.normalizeCredentials(credentials, realmRequired,
      realmDelimiter);

-    if (realmRequired && !query.realm) {
+    if (realmRequired) {
+      if (!query.realm) {
        var err1 = new Error(g.f('{{realm}} is required'));
        err1.statusCode = 400;
        err1.code = 'REALM_REQUIRED';
        fn(err1);
        return fn.promise;
+      } else if (typeof query.realm !== 'string') {
+        var err5 = new Error(g.f('Invalid realm'));
+        err5.statusCode = 400;
+        err5.code = 'INVALID_REALM';
+        fn(err5);
+        return fn.promise;
+      }
    }
    if (!query.email && !query.username) {
      var err2 = new Error(g.f('{{username}} or {{email}} is required'));
@ -222,6 +230,19 @@ module.exports = function(User) {
      fn(err2);
      return fn.promise;
    }
+    if (query.username && typeof query.username !== 'string') {
+      var err3 = new Error(g.f('Invalid username'));
+      err3.statusCode = 400;
+      err3.code = 'INVALID_USERNAME';
+      fn(err3);
+      return fn.promise;
+    } else if (query.email && typeof query.email !== 'string') {
+      var err4 = new Error(g.f('Invalid email'));
+      err4.statusCode = 400;
+      err4.code = 'INVALID_EMAIL';
+      fn(err4);
+      return fn.promise;
+    }

    self.findOne({where: query}, function(err, user) {
      var defaultError = new Error(g.f('login failed'));
--- a/test/user.test.js
+++ b/test/user.test.js
@ -555,6 +555,37 @@ describe('User', function() {
      });
    });

+    it('should not allow queries in email field', function(done) {
+      User.login({email: {'neq': 'x'}, password: 'x'}, function(err, accessToken) {
+        assert(err);
+        assert.equal(err.code, 'INVALID_EMAIL');
+        assert(!accessToken);
+
+        done();
+      });
+    });
+
+    it('should not allow queries in username field', function(done) {
+      User.login({username: {'neq': 'x'}, password: 'x'}, function(err, accessToken) {
+        assert(err);
+        assert.equal(err.code, 'INVALID_USERNAME');
+        assert(!accessToken);
+
+        done();
+      });
+    });
+
+    it('should not allow queries in realm field', function(done) {
+      User.settings.realmRequired = true;
+      User.login({username: 'x', password: 'x', realm: {'neq': 'x'}}, function(err, accessToken) {
+        assert(err);
+        assert.equal(err.code, 'INVALID_REALM');
+        assert(!accessToken);
+
+        done();
+      });
+    });
+
    it('Login a user by providing credentials with TTL', function(done) {
      User.login(validCredentialsWithTTL, function(err, accessToken) {
        assert(accessToken.userId);