external/SponsorBlockServer
1
0
Fork 0
mirror of https://github.com/ajayyy/SponsorBlockServer.git synced 2024-11-10 01:02:30 +01:00
Code Issues Projects Releases Packages Wiki Activity

more lenient privateIDUsername checks

Browse source 
- disallow username = privateID
- disallow username = other privateID on username table if length > minLength
This commit is contained in:
Michael C 2023-02-17 22:28:23 -05:00
parent b855eea349
commit a384079562
No known key found for this signature in database
GPG key ID: FFB04FB3B878B7B4
3 changed files with 125 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/routes/setUsername.ts
View file

@ -33,14 +33,9 @@ export async function setUsername(req: Request, res: Response): Promise<Response
userName = userName.replace(/[\u0000-\u001F\u007F-\u009F]/g, ""); userName = userName.replace(/[\u0000-\u001F\u007F-\u009F]/g, "");
// check privateID against publicID // check privateID against publicID
/*
if (!await checkPrivateUsername(userName, userID)) { if (!await checkPrivateUsername(userName, userID)) {
return res.sendStatus(400); return res.sendStatus(400);
} }
*/
if (userName == userID) {
return res.sendStatus(400);
}
if (adminUserIDInput != undefined) { if (adminUserIDInput != undefined) {
//this is the admin controlling the other users account, don't hash the controling account's ID //this is the admin controlling the other users account, don't hash the controling account's ID
@ -100,11 +95,10 @@ export async function setUsername(req: Request, res: Response): Promise<Response
} }
async function checkPrivateUsername(username: string, userID: string): Promise<boolean> { async function checkPrivateUsername(username: string, userID: string): Promise<boolean> {
const userIDHash = await getHashCache(userID); if (username == userID) return false;
if (username.length <= config.minUserIDLength) return true; // don't check for cross matches <= 30 characters
const userNameHash = await getHashCache(username); const userNameHash = await getHashCache(username);
if (userIDHash == userNameHash) return false;
const sponsorTimeRow = await db.prepare("get", `SELECT "userID" FROM "sponsorTimes" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
const userNameRow = await db.prepare("get", `SELECT "userID" FROM "userNames" WHERE "userID" = ? LIMIT 1`, [userNameHash]); const userNameRow = await db.prepare("get", `SELECT "userID" FROM "userNames" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
if ((sponsorTimeRow || userNameRow)?.userID) return false; if (userNameRow?.userID) return false;
return true; return true;
} }

60
test/cases/setUsername.ts
View file

@ -22,16 +22,6 @@ const user07PrivateUserID = "setUsername_07";
const username07 = "Username 07"; const username07 = "Username 07";
const user08PrivateUserID = "setUsername_08"; const user08PrivateUserID = "setUsername_08";
// private = public cases
// user09 - username === privateID
const user09PrivateUserID = "setUsername_09";
// user 10/11 - user 11 username === user 10 privateID
const user10PrivateUserID = "setUsername_10_collision";
const username10 = "setUsername_10";
const user11PrivateUserID = "setUsername_11";
const user12PrivateUserID = "setUsername_12";
const username12 = "Username 12";
async function addUsername(userID: string, userName: string, locked = 0) { async function addUsername(userID: string, userName: string, locked = 0) {
await db.prepare("run", 'INSERT INTO "userNames" ("userID", "userName", "locked") VALUES(?, ?, ?)', [userID, userName, locked]); await db.prepare("run", 'INSERT INTO "userNames" ("userID", "userName", "locked") VALUES(?, ?, ?)', [userID, userName, locked]);
await addLogUserNameChange(userID, userName); await addLogUserNameChange(userID, userName);
@ -40,7 +30,7 @@ async function addUsername(userID: string, userName: string, locked = 0) {
async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string}> { async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string}> {
const row = await db.prepare("get", 'SELECT "userName", "locked" FROM "userNames" WHERE "userID" = ?', [userID]); const row = await db.prepare("get", 'SELECT "userName", "locked" FROM "userNames" WHERE "userID" = ?', [userID]);
if (!row) { if (!row) {
return null; throw new Error("No username found");
} }
return row; return row;
} }
@ -98,9 +88,6 @@ describe("setUsername", () => {
await addUsername(getHash(user05PrivateUserID), username05, 0); await addUsername(getHash(user05PrivateUserID), username05, 0);
await addUsername(getHash(user06PrivateUserID), username06, 0); await addUsername(getHash(user06PrivateUserID), username06, 0);
await addUsername(getHash(user07PrivateUserID), username07, 1); await addUsername(getHash(user07PrivateUserID), username07, 1);
await addUsername(getHash(user10PrivateUserID), username10, 0);
// user11 skipped
await addUsername(getHash(user12PrivateUserID), username12, 0);
}); });
it("Should be able to set username that has never been set", (done) => { it("Should be able to set username that has never been set", (done) => {
@ -249,47 +236,10 @@ describe("setUsername", () => {
it("Should delete row if new username is same as publicID", (done) => { it("Should delete row if new username is same as publicID", (done) => {
const publicID = getHash(user08PrivateUserID); const publicID = getHash(user08PrivateUserID);
postSetUserName(getHash(user08PrivateUserID), publicID) postSetUserName(getHash(user08PrivateUserID), publicID)
.then(async () => { .then(() => {
const usernameInfo = await getUsernameInfo(getHash(user08PrivateUserID)); getUsernameInfo(getHash(user08PrivateUserID))
assert.strictEqual(usernameInfo, null); .then(usernameinfo => done(`Username should be deleted - ${usernameinfo})`))
done(); .catch(() => done());
})
.catch((err) => done(err));
});
it("Should return error if trying to set username to privateID", (done) => {
const privateID = user09PrivateUserID;
postSetUserName(privateID, privateID)
.then(async (res) => {
assert.strictEqual(res.status, 400);
const usernameInfo = await getUsernameInfo(getHash(privateID));
assert.strictEqual(usernameInfo, null);
done();
})
.catch((err) => done(err));
});
it("Should return error if trying to set username to someone else's privateID", (done) => {
const privateID = user11PrivateUserID;
postSetUserName(privateID, user10PrivateUserID)
.then(async (res) => {
assert.strictEqual(res.status, 400);
const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's privateID
assert.strictEqual(usernameInfo, null);
done();
})
.catch((err) => done(err));
});
it("Should not return error if trying to set username to someone else's publicID", (done) => {
const privateID = user12PrivateUserID;
const user10PublicID = getHash(user10PrivateUserID);
postSetUserName(privateID, user10PublicID)
.then(async (res) => {
assert.strictEqual(res.status, 200);
const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's publicID
assert.strictEqual(usernameInfo.userName, user10PublicID);
done();
}) })
.catch((err) => done(err)); .catch((err) => done(err));
}); });

117
test/cases/setUsernamePrivate.ts Normal file
View file

@ -0,0 +1,117 @@
import { db } from "../../src/databases/databases";
import { getHash } from "../../src/utils/getHash";
import assert from "assert";
import { client } from "../utils/httpClient";
import { config } from "../../src/config";
import sinon from "sinon";
const USERID_LIMIT = 30;
// preexisting username with userid < Limit
const preExisting_underLimit = "preExisting_under";
// preexisting username with userid > Limit
const preExisting_overLimit = `preExisting_over${"*".repeat(USERID_LIMIT)}`;
// new username to privateID < Limit
const newUser_underLimit = "newUser_under";
// new username to privateID > Limit
const newUser_overLimit = `newUser_over${"*".repeat(USERID_LIMIT)}`;
// new username to someone else'e privateID
const otherUser = `otherUser${"*".repeat(USERID_LIMIT)}`;
const addUsername = async (userID: string, userName: string, locked = 0) =>
await db.prepare("run", 'INSERT INTO "userNames" ("userID", "userName", "locked") VALUES(?, ?, ?)', [userID, userName, locked]);
async function hasSetUsername(userID: string): Promise<boolean> {
const row = await db.prepare("get", 'SELECT "userName", "locked" FROM "userNames" WHERE "userID" = ?', [userID]);
return Boolean(row);
}
const endpoint = "/api/setUsername";
const postSetUserName = (userID: string, username: string) => client({
method: "POST",
url: endpoint,
params: {
userID,
username,
}
});
describe("setUsernamePrivate tests", () => {
// add preexisitng usernames
before(async () => {
await addUsername(getHash(preExisting_underLimit), preExisting_underLimit, 0);
await addUsername(getHash(preExisting_overLimit), preExisting_overLimit, 0);
});
// stub minUserIDLength
before(() => sinon.stub(config, "minUserIDLength").value(USERID_LIMIT));
after(() => sinon.restore());
it("Existing privateID = username under Limit should retreive successfully", (done) => {
const privateID = preExisting_underLimit;
hasSetUsername(getHash(privateID))
.then((usernameInfo) => {
assert.ok(usernameInfo);
done();
});
});
it("Existing privateID = username over Limit should retreive successfully", (done) => {
const privateID = preExisting_overLimit;
hasSetUsername(getHash(privateID))
.then((usernameInfo) => {
assert.ok(usernameInfo);
done();
});
});
it("Should return error if trying to set userID = username under limit", (done) => {
const privateID = newUser_underLimit;
postSetUserName(privateID, privateID)
.then(async (res) => {
assert.strictEqual(res.status, 400);
const usernameInfo = await hasSetUsername(getHash(privateID));
assert.ok(!usernameInfo);
done();
})
.catch((err) => done(err));
});
it("Should return error if trying to set username = other privateID over limit", (done) => {
const privateID = newUser_overLimit;
postSetUserName(privateID, privateID)
.then(async (res) => {
assert.strictEqual(res.status, 400);
const usernameInfo = await hasSetUsername(getHash(privateID));
assert.ok(!usernameInfo);
done();
})
.catch((err) => done(err));
});
it("Should return error if trying to set username = other privateID over limit", (done) => {
const privateID = otherUser;
const otherUserPrivate = preExisting_overLimit;
postSetUserName(privateID, otherUserPrivate)
.then(async (res) => {
assert.strictEqual(res.status, 400);
const usernameInfo = await hasSetUsername(getHash(privateID));
assert.ok(!usernameInfo);
done();
})
.catch((err) => done(err));
});
it("Should not return error if trying to set username = other privateID under limit", (done) => {
const privateID = otherUser;
const otherUserPrivate = preExisting_underLimit;
postSetUserName(privateID, otherUserPrivate)
.then(async (res) => {
assert.strictEqual(res.status, 200);
const usernameInfo = await hasSetUsername(getHash(privateID));
assert.ok(usernameInfo);
done();
})
.catch((err) => done(err));
});
});