svn commit: r1160644 - in /incubator/rave/trunk/rave-portal/src: main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java main/resources/messages.properties test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java

[ja...@apache.org]

Author: jasha
Date: Tue Aug 23 12:02:50 2011
New Revision: 1160644

URL: http://svn.apache.org/viewvc?rev=1160644&view=rev
Log:
RAVE-123 restrict user name characters (to prevent certain vulnerabilities)

Modified:
    incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java
    incubator/rave/trunk/rave-portal/src/main/resources/messages.properties
    incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java

Modified: incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java?rev=1160644&r1=1160643&r2=1160644&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java (original)
+++ incubator/rave/trunk/rave-portal/src/main/java/org/apache/rave/portal/web/validator/NewAccountValidator.java Tue Aug 23 12:02:50 2011
@@ -33,6 +33,7 @@ public class NewAccountValidator impleme
 
     private final Logger logger = LoggerFactory.getLogger(getClass());
 
+    private static final String USERNAME_PATTERN = "[\\w\\+\\-\\.@]{2,}";
     private UserService userService;
 
     @Autowired
@@ -49,20 +50,20 @@ public class NewAccountValidator impleme
         NewUser newUser = (NewUser) obj;
 
         //check if the username is null or empty
-        if (StringUtils.isBlank(newUser.getUsername())) {
+        final String username = newUser.getUsername();
+        if (StringUtils.isBlank(username)) {
             errors.rejectValue("username", "username.required");
             logger.info("Username required");
         }
 
-        //check if username length is less than 2
-        else if (newUser.getUsername().length() < 2) {
-            errors.rejectValue("username", "username.invalid.length");
+        // at least 2 characters of the following: a-z A-Z 0-9 _ - + . @
+        else if (!username.matches(USERNAME_PATTERN)) {
+            errors.rejectValue("username", "username.invalid.pattern");
             logger.info("Username must be atleast 2 characters long");
         }
 
         //check if username is already in use
-
-        else if (userService.getUserByUsername(newUser.getUsername()) != null) {
+        else if (userService.getUserByUsername(username) != null) {
             errors.rejectValue("username", "username.exits");
             logger.info("Username already exists");
         }

Modified: incubator/rave/trunk/rave-portal/src/main/resources/messages.properties
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal/src/main/resources/messages.properties?rev=1160644&r1=1160643&r2=1160644&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal/src/main/resources/messages.properties (original)
+++ incubator/rave/trunk/rave-portal/src/main/resources/messages.properties Tue Aug 23 12:02:50 2011
@@ -19,6 +19,8 @@
 
 username.required=Username required
 username.invalid.length=Username must be atleast 2 characters long
+username.invalid.pattern=Username must be at least 2 characters long and may only contain letters, numbers, \
+  _-+.@
 username.exits=Username already exists
 
 password.required=Password required

Modified: incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java?rev=1160644&r1=1160643&r2=1160644&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java (original)
+++ incubator/rave/trunk/rave-portal/src/test/java/org/apache/rave/portal/web/validator/NewAccountValidatorTest.java Tue Aug 23 12:02:50 2011
@@ -127,6 +127,24 @@ public class NewAccountValidatorTest {
     }
 
     @Test
+    public void testValidationFailsOnIllegalCharacters() throws Exception {
+        NewUser newUser = new NewUser();
+        final String badUsername = "x'; DROP TABLE members; --";
+        newUser.setUsername(badUsername);
+        newUser.setPassword(VALID_PASSWORD);
+        newUser.setConfirmPassword(VALID_PASSWORD);
+        newUser.setPageLayout(VALID_PAGELAYOUT);
+        Errors errors = new BindException(newUser, NEW_USER);
+        expect(mockUserService.getUserByUsername(badUsername)).andReturn(null);
+        replay(mockUserService);
+
+        newAccountValidator.validate(newUser, errors);
+
+        assertTrue("Validation errors", errors.hasErrors());
+        assertNotNull(errors.getFieldError(FIELD_USERNAME));
+    }
+
+    @Test
     public void testValidationFailsOnShortPassword() throws Exception {
         NewUser newUser = new NewUser();
         newUser.setUsername(VALID_NAME);