From 87e231e04495fb705fe1e03cb56fc4136bafe895 Mon Sep 17 00:00:00 2001 From: Chris Brame Date: Sat, 14 May 2022 15:39:02 -0400 Subject: [PATCH] fix(account): security fix --- src/helpers/utils/index.js | 7 +++++++ src/models/user.js | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/helpers/utils/index.js b/src/helpers/utils/index.js index d5e542539..da0c6f4ee 100644 --- a/src/helpers/utils/index.js +++ b/src/helpers/utils/index.js @@ -17,6 +17,13 @@ const xss = require('xss') const fs = require('fs') const piexifjs = require('piexifjs') +const MAX_FIELD_TEXT_LENGTH = 255 +const MAX_SHORT_FIELD_TEXT_LENGTH = 25 + +module.exports.applyMaxShortTextLength = function (text) { + return text.toString().substring(0, MAX_SHORT_FIELD_TEXT_LENGTH) +} + module.exports.sanitizeFieldPlainText = function (text) { return xss(text, { whileList: {}, diff --git a/src/models/user.js b/src/models/user.js index 894e681a1..5132b8472 100644 --- a/src/models/user.js +++ b/src/models/user.js @@ -90,11 +90,11 @@ userSchema.pre('findOne', autoPopulateRole).pre('find', autoPopulateRole) userSchema.pre('save', function (next) { var user = this - user.username = utils.sanitizeFieldPlainText(user.username.toLowerCase().trim()) + user.username = utils.applyMaxShortTextLength(utils.sanitizeFieldPlainText(user.username.toLowerCase().trim())) user.email = utils.sanitizeFieldPlainText(user.email.trim()) - if (user.fullname) user.fullname = utils.sanitizeFieldPlainText(user.fullname.trim()) - if (user.title) user.title = utils.sanitizeFieldPlainText(user.title.trim()) + if (user.fullname) user.fullname = utils.applyMaxShortTextLength(utils.sanitizeFieldPlainText(user.fullname.trim())) + if (user.title) user.title = utils.applyMaxShortTextLength(utils.sanitizeFieldPlainText(user.title.trim())) if (!user.isModified('password')) { return next()