From e482e6bd3d28c21416c68537a8b3a645c7dad0ac Mon Sep 17 00:00:00 2001 From: Emmanuel Viennet Date: Fri, 17 Mar 2023 19:33:10 +0100 Subject: [PATCH] =?UTF-8?q?Renforce=20v=C3=A9rification=20formulaire=20de?= =?UTF-8?q?=20login=20pour=20=C3=A9viter=20de=20d=C3=A9clencher=20une=20er?= =?UTF-8?q?reur=20SQL?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/auth/models.py | 15 ++++++++++++--- app/auth/routes.py | 9 ++++++--- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/app/auth/models.py b/app/auth/models.py index 8ff8e885..8743850d 100644 --- a/app/auth/models.py +++ b/app/auth/models.py @@ -32,7 +32,7 @@ from app.scodoc import sco_etud # a deplacer dans scu VALID_LOGIN_EXP = re.compile(r"^[a-zA-Z0-9@\\\-_\.]+$") -def is_valid_password(cleartxt): +def is_valid_password(cleartxt) -> bool: """Check password. returns True if OK. """ @@ -49,6 +49,15 @@ def is_valid_password(cleartxt): return False +def invalid_user_name(user_name: str) -> bool: + "Check that user_name (aka login) is invalid" + return ( + (len(user_name) < 2) + or (len(user_name) >= USERNAME_STR_LEN) + or not VALID_LOGIN_EXP.match(user_name) + ) + + class User(UserMixin, db.Model): """ScoDoc users, handled by Flask / SQLAlchemy""" @@ -108,7 +117,7 @@ class User(UserMixin, db.Model): self.roles = [] self.user_roles = [] # check login: - if kwargs.get("user_name") and not VALID_LOGIN_EXP.match(kwargs["user_name"]): + if kwargs.get("user_name") and invalid_user_name(kwargs["user_name"]): raise ValueError(f"invalid user_name: {kwargs['user_name']}") super(User, self).__init__(**kwargs) # Ajoute roles: @@ -287,7 +296,7 @@ class User(UserMixin, db.Model): self.user_name = data["user_name"] if "password" in data: self.set_password(data["password"]) - if not VALID_LOGIN_EXP.match(self.user_name): + if not invalid_user_name(self.user_name): raise ValueError(f"invalid user_name: {self.user_name}") # Roles: roles_string is "Ens_RT, Secr_RT, ..." if "roles_string" in data: diff --git a/app/auth/routes.py b/app/auth/routes.py index eb279acb..c3b4f717 100644 --- a/app/auth/routes.py +++ b/app/auth/routes.py @@ -19,8 +19,7 @@ from app.auth.forms import ( ResetPasswordRequestForm, UserCreationForm, ) -from app.auth.models import Role -from app.auth.models import User +from app.auth.models import Role, User, invalid_user_name from app.auth.email import send_password_reset_email from app.decorators import admin_required from app.models.config import ScoDocSiteConfig @@ -34,7 +33,11 @@ def _login_form(): """le formulaire de login, avec un lien CAS s'il est configuré.""" form = LoginForm() if form.validate_on_submit(): - user = User.query.filter_by(user_name=form.user_name.data).first() + # note: ceci est la première requête SQL déclenchée par un utilisateur arrivant + if invalid_user_name(form.user_name.data): + user = None + else: + user = User.query.filter_by(user_name=form.user_name.data).first() if user is None or not user.check_password(form.password.data): current_app.logger.info("login: invalid (%s)", form.user_name.data) flash(_("Nom ou mot de passe invalide"))