github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-24 14:08:31 -04:00
Code Issues Projects Releases Packages Wiki Activity

Fix Security issue: Hyperlink injection.

Browse source 
Thanks to mc-marcy and xet7 !

Fixes #5176
This commit is contained in:
Lauri Ojansivu 2023-10-31 16:04:25 +02:00
parent 4825bcec8d
commit 4fe168b03b
1 changed files with 61 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

62
models/users.js
View file

@ -1325,6 +1325,14 @@ if (Meteor.isServer) {
check(importUsernames, Array);
check(userOrgsArray, Array);
check(userTeamsArray, Array);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (fullname.includes('/') ||
username.includes('/') ||
email.includes('/') ||
initials.includes('/')) {
return false;
}
if (ReactiveCache.getCurrentUser()?.isAdmin) {
const nUsersWithUsername = ReactiveCache.getUsers({
username,
@ -1365,6 +1373,12 @@ if (Meteor.isServer) {
setUsername(username, userId) {
check(username, String);
check(userId, String);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (username.includes('/') ||
userId.includes('/')) {
return false;
}
if (ReactiveCache.getCurrentUser()?.isAdmin) {
const nUsersWithUsername = ReactiveCache.getUsers({
username,
@ -1383,6 +1397,12 @@ if (Meteor.isServer) {
setEmail(email, userId) {
check(email, String);
check(username, String);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (username.includes('/') ||
email.includes('/')) {
return false;
}
if (ReactiveCache.getCurrentUser()?.isAdmin) {
if (Array.isArray(email)) {
email = email.shift();
@ -1417,6 +1437,13 @@ if (Meteor.isServer) {
check(username, String);
check(email, String);
check(userId, String);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (username.includes('/') ||
email.includes('/') ||
userId.includes('/')) {
return false;
}
if (ReactiveCache.getCurrentUser()?.isAdmin) {
if (Array.isArray(email)) {
email = email.shift();
@ -1436,6 +1463,12 @@ if (Meteor.isServer) {
check(email, String);
check(verified, Boolean);
check(userId, String);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (email.includes('/') ||
userId.includes('/')) {
return false;
}
if (ReactiveCache.getCurrentUser()?.isAdmin) {
Users.update(userId, {
$set: {
@ -1452,6 +1485,12 @@ if (Meteor.isServer) {
setInitials(initials, userId) {
check(initials, String);
check(userId, String);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (initials.includes('/') ||
userId.includes('/')) {
return false;
}
if (ReactiveCache.getCurrentUser()?.isAdmin) {
Users.update(userId, {
$set: {
@ -1464,7 +1503,12 @@ if (Meteor.isServer) {
inviteUserToBoard(username, boardId) {
check(username, String);
check(boardId, String);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (username.includes('/') ||
boardId.includes('/')) {
return false;
}
const inviter = ReactiveCache.getCurrentUser();
const board = ReactiveCache.getBoard(boardId);
const allowInvite =
@ -1507,6 +1551,12 @@ if (Meteor.isServer) {
// Set in lowercase email before creating account
const email = username.toLowerCase();
username = email.substring(0, posAt);
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (username.includes('/') ||
email.includes('/')) {
return false;
}
const newUserId = Accounts.createUser({
username,
email,
@ -1687,6 +1737,16 @@ if (Meteor.isServer) {
verified: true,
},
];
// Prevent Hyperlink Injection https://github.com/wekan/wekan/issues/5176
// Thanks to mc-marcy and xet7 !
if (user.username.includes('/') ||
email.includes('/')) {
return false;
}
const initials = user.services.oidc.fullname
.split(/\s+/)
.reduce((memo, word) => {