Moonlight-Panel/Moonlight
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added missing input validation in oauth2 register request

Browse Source
This commit is contained in:
ChiaraBm
2025-06-01 15:34:17 +02:00
parent 110e055e24
commit a1cb4f243a
1 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
Moonlight.ApiServer/Http/Controllers/OAuth2/OAuth2Controller.cs
View File

@@ -1,6 +1,8 @@
using System.IdentityModel.Tokens.Jwt; using System.ComponentModel.DataAnnotations;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims; using System.Security.Claims;
using System.Text; using System.Text;
using System.Text.RegularExpressions;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore; using Microsoft.EntityFrameworkCore;
@@ -17,7 +19,7 @@ namespace Moonlight.ApiServer.Http.Controllers.OAuth2;
[ApiController] [ApiController]
[Route("oauth2")] [Route("oauth2")]
public class OAuth2Controller : Controller public partial class OAuth2Controller : Controller
{ {
private readonly AppConfiguration Configuration; private readonly AppConfiguration Configuration;
private readonly DatabaseRepository<User> UserRepository; private readonly DatabaseRepository<User> UserRepository;
@@ -85,7 +87,7 @@ public class OAuth2Controller : Controller
[FromQuery(Name = "client_id")] string clientId, [FromQuery(Name = "client_id")] string clientId,
[FromQuery(Name = "redirect_uri")] string redirectUri, [FromQuery(Name = "redirect_uri")] string redirectUri,
[FromQuery(Name = "response_type")] string responseType, [FromQuery(Name = "response_type")] string responseType,
[FromForm(Name = "email")] string email, [FromForm(Name = "email")] [EmailAddress(ErrorMessage = "You need to provide a valid email address")] string email,
[FromForm(Name = "password")] string password, [FromForm(Name = "password")] string password,
[FromForm(Name = "username")] string username = "", [FromForm(Name = "username")] string username = "",
[FromQuery(Name = "view")] string view = "login" [FromQuery(Name = "view")] string view = "login"
@@ -274,6 +276,9 @@ public class OAuth2Controller : Controller
if (await UserRepository.Get().AnyAsync(x => x.Email == email)) if (await UserRepository.Get().AnyAsync(x => x.Email == email))
throw new HttpApiException("A account with that email already exists", 400); throw new HttpApiException("A account with that email already exists", 400);
if (!UsernameRegex().IsMatch(username))
throw new HttpApiException("The username is only allowed to be contained out of small characters and numbers", 400);
var user = new User() var user = new User()
{ {
Username = username, Username = username,
@@ -307,4 +312,7 @@ public class OAuth2Controller : Controller
return user; return user;
} }
[GeneratedRegex("^[a-z][a-z0-9]*$")]
private static partial Regex UsernameRegex();
} }