chg: [website] A blocklist of usernames is now used to block words we…

… might not like to see used as usernames.
cve-search · Jul 10, 2024 · 4aae795 · 4aae795
1 parent 5885a3a
commit 4aae795
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 15 deletions.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -58,6 +58,7 @@ pyotp = "^2.9.0"
 qrcode = "^7.4.2"
 pyvariot = "^0.2.0"
 markdown = "^3.6"
+the-big-username-blacklist = "^1.5.4"
 
 [tool.poetry.group.dev.dependencies]
 ipython = "^8.25.0"

diff --git a/website/models/user.py b/website/models/user.py
@@ -10,6 +10,7 @@
 from flask import url_for
 from flask_login import UserMixin  # type: ignore[import-untyped]
 from sqlalchemy.orm import validates
+from the_big_username_blacklist import validate
 from validate_email import validate_email  # type: ignore[import-untyped]
 from werkzeug.security import check_password_hash
 
@@ -80,18 +81,19 @@ def __str__(self) -> str:
 
     @validates("login")
     def validates_login(self, key: str, value: str) -> str:
-        assert 3 <= len(value) <= 30, AssertionError("maximum length for login: 30")
+        assert 3 <= len(value) <= 30, AssertionError("Maximum length for login: 30")
+        assert validate(value), AssertionError("Username not allowed.")
         return re.sub("[^a-zA-Z0-9_-]", "", value.strip())
 
     @validates("email")
     def validates_email(self, key: str, value: str) -> str:
-        assert 3 <= len(value) <= 256, AssertionError("maximum length for email: 256")
-        assert validate_email(value), AssertionError("email address not valid")
+        assert 3 <= len(value) <= 256, AssertionError("Maximum length for email: 256")
+        assert validate_email(value), AssertionError("Email address not valid")
         return value
 
     @validates("apikey")
     def validates_apikey(self, key: str, value: str) -> str:
-        assert 30 <= len(value) <= 100, AssertionError("minimum length for apikey: 30")
+        assert 30 <= len(value) <= 100, AssertionError("Minimum length for apikey: 30")
         return value
 
     @staticmethod

diff --git a/website/web/api/v1/user.py b/website/web/api/v1/user.py
@@ -126,6 +126,8 @@ def post(self) -> Tuple[Dict[Any, Any], int]:
             )
             db.session.add(new_user)
             db.session.commit()
+        except AssertionError as e:
+            return abort(400, f"{e}")
         except exc.IntegrityError:
             db.session.rollback()
             return abort(400, f"Impossible to create the user.")

diff --git a/website/web/views/admin.py b/website/web/views/admin.py
@@ -98,16 +98,20 @@ def process_user_form(user_id: int = 0) -> str | WerkzeugResponse:
         return redirect(url_for("admin_bp.form_user", user_id=user.id))
 
     # Create a new user
-    new_user = User(
-        login=form.login.data,
-        email=form.email.data,
-        name=form.name.data,
-        organisation=form.organisation.data,
-        is_active=form.is_active.data,
-        is_confirmed=form.is_confirmed.data,
-        is_admin=form.is_admin.data,
-        pwdhash=generate_password_hash(form.password.data),
-    )
+    try:
+        new_user = User(
+            login=form.login.data,
+            email=form.email.data,
+            name=form.name.data,
+            organisation=form.organisation.data,
+            is_active=form.is_active.data,
+            is_confirmed=form.is_confirmed.data,
+            is_admin=form.is_admin.data,
+            pwdhash=generate_password_hash(form.password.data),
+        )
+    except AssertionError as e:
+        flash(f"{e}", "danger")
+        return render_template("admin/edit_user.html", form=form)
     db.session.add(new_user)
     db.session.commit()
     flash(

diff --git a/website/web/views/session_mgmt.py b/website/web/views/session_mgmt.py
@@ -162,6 +162,9 @@ def signup() -> str | WerkzeugResponse:
             )
             db.session.add(new_user)
             db.session.commit()
+        except AssertionError as e:
+            flash(f"{e}", "danger")
+            return render_template("user/signup.html", form=form)
         except sqlalchemy.exc.IntegrityError:
             db.session.rollback()
             flash("Problem while creating the account.", "danger")