open.source/manifold
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clean the user's display name on update.

Browse Source 
The user's display name should always be clean (see for example
functions/src/create-user.ts). However, change-user-info.ts does not
enforce this, thus potentially allowing a malicious user to change their
name to something that doesn't satisfy the rules for clean display
names.

Note: this cannot happen currently because all callers (in profile.tsx)
clean the name. However, doing it here is good defense in depth
(similar to how the userName is cleaned).
This commit is contained in:
Jonas Wagner 2022-05-13 07:09:34 +02:00
parent 06cdf2a84a
commit 9f06359d5e
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
functions/src/change-user-info.ts
View File

@ -5,7 +5,7 @@ import { getUser } from './utils'
import { Contract } from 'common/contract'
import { Comment } from 'common/comment'
import { User } from 'common/user'
import { cleanUsername } from 'common/util/clean-username'
import { cleanUsername, cleanDisplayName } from 'common/util/clean-username'
import { removeUndefinedProps } from 'common/util/object'
import { Answer } from 'common/answer'
@ -63,6 +63,10 @@ export const changeUser = async (
}
}
if (update.name) {
update.name = cleanDisplayName(update.name);
}
const userRef = firestore.collection('users').doc(user.id)
const userUpdate: Partial<User> = removeUndefinedProps(update)