From e836d04d16787c2c9c72e7bf011cf396d1f73c19 Mon Sep 17 00:00:00 2001 From: Chris Brame Date: Sun, 15 May 2022 11:51:25 -0400 Subject: [PATCH] fix(account): security fix --- src/models/user.js | 2 ++ .../js/angularjs/controllers/profile.js | 19 +++++++++++++++++++ src/views/subviews/profile.hbs | 6 +++--- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/models/user.js b/src/models/user.js index 5132b8472..0c52c9fb1 100644 --- a/src/models/user.js +++ b/src/models/user.js @@ -100,6 +100,8 @@ userSchema.pre('save', function (next) { return next() } + if (user.password.toString().length > 255) user.password = utils.applyMaxTextLength(user.password) + bcrypt.genSalt(SALT_FACTOR, function (err, salt) { if (err) return next(err) diff --git a/src/public/js/angularjs/controllers/profile.js b/src/public/js/angularjs/controllers/profile.js index f57b8b0ff..65eb52db2 100644 --- a/src/public/js/angularjs/controllers/profile.js +++ b/src/public/js/angularjs/controllers/profile.js @@ -45,6 +45,14 @@ define([ }, 0) } + function validateEmail (email) { + return String(email) + .toLowerCase() + .match( + /^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ + ) + } + $scope.updateUser = function ($event) { $event.preventDefault() @@ -52,6 +60,17 @@ define([ if (_.isUndefined(id)) return var data = getFormData() + if ( + data.fullname.toString().length > 25 || + data.password.toString().length > 255 || + data.cPassword.toString().length > 255 || + data.email.toString().length > 255 || + !validateEmail(data.email.toString()) + ) { + helpers.UI.showSnackbar('Form data invalid.', true) + return false + } + $http .put('/api/v1/users/' + data.username, { aId: id, diff --git a/src/views/subviews/profile.hbs b/src/views/subviews/profile.hbs index a9972498d..e58e87eec 100644 --- a/src/views/subviews/profile.hbs +++ b/src/views/subviews/profile.hbs @@ -92,15 +92,15 @@
- +
- +
- +