From 2d321dd3d867f3939848b026cf461c198b50f2e7 Mon Sep 17 00:00:00 2001 From: dartcafe Date: Thu, 14 Mar 2024 12:48:07 +0100 Subject: [PATCH 1/3] strip some unicodes from public username Signed-off-by: dartcafe --- lib/Service/SystemService.php | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/lib/Service/SystemService.php b/lib/Service/SystemService.php index e7be458e3..2a8a7616c 100644 --- a/lib/Service/SystemService.php +++ b/lib/Service/SystemService.php @@ -45,6 +45,8 @@ use Psr\Log\LoggerInterface; class SystemService { + private const REGEX_INVALID_USERNAME_CHARACTERS = '/[\x{2000}-\x{206F}]/u'; + /** * @psalm-suppress PossiblyUnusedMethod */ @@ -195,6 +197,7 @@ public function getGenericLanguage(): string { * @return string returns the allowed username */ public function validatePublicUsername(string $userName, ?Share $share = null, ?string $token = null): string { + $userName = preg_replace(self::REGEX_INVALID_USERNAME_CHARACTERS, '', $userName); if (!$userName) { throw new TooShortException('Username must not be empty'); } @@ -205,38 +208,38 @@ public function validatePublicUsername(string $userName, ?Share $share = null, ? return $userName; } - $userName = strtolower(trim($userName)); + $compareUserName = strtolower(trim($userName)); // reserved usernames - if (str_contains($userName, 'deleted user') || str_contains($userName, 'anonymous')) { + if (str_contains($compareUserName, 'deleted user') || str_contains($compareUserName, 'anonymous')) { throw new InvalidUsernameException; } // get all groups, that include the requested username in their gid // or displayname and check if any match completely - foreach (Group::search($userName) as $group) { - if ($group->hasName($userName)) { + foreach (Group::search($compareUserName) as $group) { + if ($group->hasName($compareUserName)) { throw new InvalidUsernameException; } } // get all users - foreach (User::search($userName) as $user) { - if ($user->hasName($userName)) { + foreach (User::search($compareUserName) as $user) { + if ($user->hasName($compareUserName)) { throw new InvalidUsernameException; } } // get all participants foreach ($this->voteMapper->findParticipantsByPoll($share->getPollId()) as $vote) { - if ($vote->getUser()->hasName($userName)) { + if ($vote->getUser()->hasName($compareUserName)) { throw new InvalidUsernameException; } } // get all shares for this poll foreach ($this->shareMapper->findByPoll($share->getPollId()) as $share) { - if ($share->getType() !== Circle::TYPE && $share->getUser()->hasName($userName)) { + if ($share->getType() !== Circle::TYPE && $share->getUser()->hasName($compareUserName)) { throw new InvalidUsernameException; } } From 6039092127cf595c3623f3858895eeed6a65c048 Mon Sep 17 00:00:00 2001 From: dartcafe Date: Sat, 16 Mar 2024 09:56:57 +0100 Subject: [PATCH 2/3] trim earlier Signed-off-by: dartcafe --- lib/Service/SystemService.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Service/SystemService.php b/lib/Service/SystemService.php index 2a8a7616c..139a23ac4 100644 --- a/lib/Service/SystemService.php +++ b/lib/Service/SystemService.php @@ -197,7 +197,7 @@ public function getGenericLanguage(): string { * @return string returns the allowed username */ public function validatePublicUsername(string $userName, ?Share $share = null, ?string $token = null): string { - $userName = preg_replace(self::REGEX_INVALID_USERNAME_CHARACTERS, '', $userName); + $userName = trim(preg_replace(self::REGEX_INVALID_USERNAME_CHARACTERS, '', $userName)); if (!$userName) { throw new TooShortException('Username must not be empty'); } @@ -208,7 +208,7 @@ public function validatePublicUsername(string $userName, ?Share $share = null, ? return $userName; } - $compareUserName = strtolower(trim($userName)); + $compareUserName = strtolower($userName); // reserved usernames if (str_contains($compareUserName, 'deleted user') || str_contains($compareUserName, 'anonymous')) { From c8330e6a11d59e0c39580b987db4fd99b3a57a46 Mon Sep 17 00:00:00 2001 From: dartcafe Date: Sat, 16 Mar 2024 10:15:12 +0100 Subject: [PATCH 3/3] add stable branch to CoeQL Signed-off-by: dartcafe --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 511114860..216eb6d74 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -4,7 +4,7 @@ on: push: branches: [ "master", "next", "stable-*" ] pull_request: - branches: [ "master", "next" ] + branches: [ "master", "next", "stable-*" ] schedule: - cron: '26 15 * * 4'