Fixed adduserbatch validation.

This commit is contained in:
Ylian Saint-Hilaire 2020-06-21 22:33:59 -07:00
parent 381f319c6f
commit a1389cd40d
2 changed files with 34 additions and 14 deletions

View File

@ -1596,20 +1596,30 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
} }
case 'adduserbatch': case 'adduserbatch':
{ {
var err = null;
// Add many new user accounts // Add many new user accounts
if ((user.siteadmin & 2) == 0) break; if ((user.siteadmin & 2) == 0) { err = 'Access denied'; }
if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) break; else if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { err = 'Unable to create users when in SSPI or LDAP mode'; }
if (!Array.isArray(command.users)) break; else if (!Array.isArray(command.users)) { err = 'Invalid users'; }
else {
var userCount = 0; var userCount = 0;
for (var i in command.users) { for (var i in command.users) {
if (domain.usernameisemail) { if (command.users[i].email) { command.users[i].user = command.users[i].email; } else { command.users[i].email = command.users[i].user; } } // If the email is the username, set this here. if (domain.usernameisemail) { if (command.users[i].email) { command.users[i].user = command.users[i].email; } else { command.users[i].email = command.users[i].user; } } // If the email is the username, set this here.
if (common.validateUsername(command.users[i].user, 1, 256) == false) break; // Username is between 1 and 64 characters, no spaces if (common.validateUsername(command.users[i].user, 1, 256) == false) { err = 'Invalid username'; break; } // Username is between 1 and 64 characters, no spaces
if ((command.users[i].user[0] == '~') || (command.users[i].user.indexOf('/') >= 0)) break; // This is a reserved user name or invalid name if ((command.users[i].user[0] == '~') || (command.users[i].user.indexOf('/') >= 0)) { err = 'Invalid username'; break; } // This is a reserved user name or invalid name
if (common.validateString(command.users[i].pass, 1, 256) == false) break; // Password is between 1 and 256 characters if (common.validateString(command.users[i].pass, 1, 256) == false) { err = 'Invalid password'; break; } // Password is between 1 and 256 characters
if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) break; // Password does not meet requirements if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) { err = 'Invalid password'; break; } // Password does not meet requirements
if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) break; // Check if this is a valid email address if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) { err = 'Invalid email'; break; } // Check if this is a valid email address
userCount++; userCount++;
} }
}
// Handle any errors
if (err != null) {
if (command.responseid != null) { try { ws.send(JSON.stringify({ action: 'adduserbatch', responseid: command.responseid, result: err })); } catch (ex) { } }
break;
}
// Check if we exceed the maximum number of user accounts // Check if we exceed the maximum number of user accounts
db.isMaxType(domain.limits.maxuseraccounts + userCount, 'user', domain.id, function (maxExceed) { db.isMaxType(domain.limits.maxuseraccounts + userCount, 'user', domain.id, function (maxExceed) {

View File

@ -2615,9 +2615,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
const domain = getDomain(req); const domain = getDomain(req);
if (domain == null) { parent.debug('web', 'handleMeScriptRequest: no domain'); res.sendStatus(404); return; } if (domain == null) { parent.debug('web', 'handleMeScriptRequest: no domain'); res.sendStatus(404); return; }
if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { return; } // Check server-wide IP filter only. if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { return; } // Check server-wide IP filter only.
// Get the user and check user rights
var authUserid = null;
if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; }
if (authUserid == null) { res.sendStatus(401); return; }
const user = obj.users[authUserid];
if (user == null) { res.sendStatus(401); return; }
if ((req.query.type == 1) && (req.query.meshid != null)) { if ((req.query.type == 1) && (req.query.meshid != null)) {
// Get the CIRA install script
if (obj.IsMeshViewable(user, req.query.meshid) == false) { res.sendStatus(404); return; }
obj.getCiraConfigurationScript(req.query.meshid, function (script) { obj.getCiraConfigurationScript(req.query.meshid, function (script) {
if (script == null) { res.sendStatus(404); } else { if (script == null) { res.sendStatus(404); } else {
try { try {
@ -2630,6 +2639,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
} }
}); });
} else if (req.query.type == 2) { } else if (req.query.type == 2) {
// Get the CIRA cleanup script
obj.getCiraCleanupScript(function (script) { obj.getCiraCleanupScript(function (script) {
if (script == null) { res.sendStatus(404); } else { if (script == null) { res.sendStatus(404); } else {
res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="cira_cleanup.mescript"' }); res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="cira_cleanup.mescript"' });