From 9f06359d5ef3b179038d8132af675e12733d7bcf Mon Sep 17 00:00:00 2001 From: Jonas Wagner Date: Fri, 13 May 2022 07:09:34 +0200 Subject: [PATCH] Clean the user's display name on update. The user's display name should always be clean (see for example functions/src/create-user.ts). However, change-user-info.ts does not enforce this, thus potentially allowing a malicious user to change their name to something that doesn't satisfy the rules for clean display names. Note: this cannot happen currently because all callers (in profile.tsx) clean the name. However, doing it here is good defense in depth (similar to how the userName is cleaned). --- functions/src/change-user-info.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/functions/src/change-user-info.ts b/functions/src/change-user-info.ts index f85d45b3..78da65e3 100644 --- a/functions/src/change-user-info.ts +++ b/functions/src/change-user-info.ts @@ -5,7 +5,7 @@ import { getUser } from './utils' import { Contract } from 'common/contract' import { Comment } from 'common/comment' import { User } from 'common/user' -import { cleanUsername } from 'common/util/clean-username' +import { cleanUsername, cleanDisplayName } from 'common/util/clean-username' import { removeUndefinedProps } from 'common/util/object' import { Answer } from 'common/answer' @@ -63,6 +63,10 @@ export const changeUser = async ( } } + if (update.name) { + update.name = cleanDisplayName(update.name); + } + const userRef = firestore.collection('users').doc(user.id) const userUpdate: Partial = removeUndefinedProps(update)