From a81a16dce5e16eab422c73eb66515ae7bea52c5b Mon Sep 17 00:00:00 2001 From: Amolith Date: Sat, 22 Jun 2024 17:54:54 -0400 Subject: [PATCH] Sanitise CLI pwd input as in frontend References: https://todo.sr.ht/~amolith/willow/32 --- cmd/cli.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/cmd/cli.go b/cmd/cli.go index d4f75767b99b6d51be38dad33fb95ce79ba1801b..e432890c09f981468fc43a9ce8c80681c59c8318 100644 --- a/cmd/cli.go +++ b/cmd/cli.go @@ -11,9 +11,12 @@ import ( "syscall" "git.sr.ht/~amolith/willow/users" + "github.com/microcosm-cc/bluemonday" "golang.org/x/term" ) +var bmStrict = bluemonday.StrictPolicy() + // createUser is a CLI that creates a new user with the specified username func createUser(dbConn *sql.DB, username string) { fmt.Println("Creating user", username) @@ -38,7 +41,16 @@ func createUser(dbConn *sql.DB, username string) { fmt.Println("Passwords do not match") os.Exit(1) } - err = users.Register(dbConn, username, string(password)) + + // Both frontend and backend need to sanitise the + // password the same way. This feel like a code + // smell; user creation should all be in the user + // package and the cli and frontend and API and + // everything should use that. + // + // TODO: Abstract this + sanitisedPassword := bmStrict.Sanitize(string(password)) + err = users.Register(dbConn, username, sanitisedPassword) if err != nil { fmt.Println("Error creating user:", err) os.Exit(1) @@ -94,7 +106,9 @@ func checkAuthorised(dbConn *sql.DB, username string) { } fmt.Println() - authorised, err := users.UserAuthorised(dbConn, username, string(password)) + // TODO: Abstract this, refer to note in createUser() + sanitisedPassword := bmStrict.Sanitize(string(password)) + authorised, err := users.UserAuthorised(dbConn, username, sanitisedPassword) if err != nil { fmt.Println("Error checking authorisation:", err) os.Exit(1)