satellite/console/.../consoleapi: keep special chars in registration info

We no longer use registration information in ways that could be exploited by malicious agents, so filtering special characters is not necessary and has been removed. Resolves storj-private#133 Change-Id: I3eb4803c71ccb307b38f0288fe2af5eec70f8309
2023-01-31 16:37:26 -06:00 · 2023-01-31 16:37:26 -06:00 · 7d039364b9
commit 7d039364b9
parent 1437257dbf
2 changed files with 0 additions and 68 deletions
--- a/satellite/console/consoleweb/consoleapi/auth.go
+++ b/satellite/console/consoleweb/consoleapi/auth.go
@ -6,9 +6,7 @@ package consoleapi
 import (
 	"encoding/json"
 	"errors"
-	"html/template"
 	"net/http"
-	"regexp"
 	"strings"
 	"time"

@ -205,14 +203,6 @@ func (a *Auth) Logout(w http.ResponseWriter, r *http.Request) {
 	a.cookieAuth.RemoveTokenCookie(w)
 }

-// replaceSpecialCharacters replaces characters that could be used to represent a url or html.
-func replaceSpecialCharacters(s string) string {
-	re := regexp.MustCompile(`[\/:\.]`)
-	s = template.HTMLEscapeString(s)
-	s = template.JSEscapeString(s)
-	return re.ReplaceAllString(s, "-")
-}
-
 // Register creates new user, sends activation e-mail.
 // If a user with the given e-mail address already exists, a password reset e-mail is sent instead.
 func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
@ -267,14 +257,6 @@ func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// remove special characters from submitted info so that malicious link or code cannot be injected anywhere.
-	registerData.FullName = replaceSpecialCharacters(registerData.FullName)
-	registerData.ShortName = replaceSpecialCharacters(registerData.ShortName)
-	registerData.Partner = replaceSpecialCharacters(registerData.Partner)
-	registerData.Position = replaceSpecialCharacters(registerData.Position)
-	registerData.CompanyName = replaceSpecialCharacters(registerData.CompanyName)
-	registerData.EmployeeCount = replaceSpecialCharacters(registerData.EmployeeCount)
-
 	if len([]rune(registerData.Partner)) > 100 {
 		a.serveJSONError(w, console.ErrValidation.Wrap(errs.New("Partner must be less than or equal to 100 characters")))
 		return
@ -464,8 +446,6 @@ func (a *Auth) UpdateAccount(w http.ResponseWriter, r *http.Request) {
 		a.serveJSONError(w, err)
 		return
 	}
-	updatedInfo.FullName = replaceSpecialCharacters(updatedInfo.FullName)
-	updatedInfo.ShortName = replaceSpecialCharacters(updatedInfo.ShortName)

 	if err = a.service.UpdateAccount(ctx, updatedInfo.FullName, updatedInfo.ShortName); err != nil {
 		a.serveJSONError(w, err)
--- a/satellite/console/consoleweb/consoleapi/auth_test.go
+++ b/satellite/console/consoleweb/consoleapi/auth_test.go
@ -781,54 +781,6 @@ func TestResendActivationEmail(t *testing.T) {
 	})
 }

-func TestAuth_Register_NameSpecialChars(t *testing.T) {
-	testplanet.Run(t, testplanet.Config{
-		SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,
-		Reconfigure: testplanet.Reconfigure{
-			Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
-				config.Mail.AuthType = "nomail"
-			},
-		},
-	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
-		inputName := "The website has been changed to https://evil.com/login.html<> - Enter Login ' \" Details,"
-		filteredName := "The website has been changed to https---evil-com-login-html\\u0026lt;\\u0026gt; - Enter Login \\u0026#39; \\u0026#34; Details,"
-		email := "user@mail.test"
-		registerData := struct {
-			FullName  string `json:"fullName"`
-			ShortName string `json:"shortName"`
-			Email     string `json:"email"`
-			Password  string `json:"password"`
-		}{
-			FullName:  inputName,
-			ShortName: inputName,
-			Email:     email,
-			Password:  "abc123",
-		}
-
-		jsonBody, err := json.Marshal(registerData)
-		require.NoError(t, err)
-
-		url := planet.Satellites[0].ConsoleURL() + "/api/v0/auth/register"
-		req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(jsonBody))
-		require.NoError(t, err)
-		req.Header.Set("Content-Type", "application/json")
-		result, err := http.DefaultClient.Do(req)
-		require.NoError(t, err)
-		defer func() {
-			err = result.Body.Close()
-			require.NoError(t, err)
-		}()
-		require.Equal(t, http.StatusOK, result.StatusCode)
-		require.Len(t, planet.Satellites, 1)
-		// this works only because we configured 'nomail' above. Mail send simulator won't click to activation link.
-		_, users, err := planet.Satellites[0].API.Console.Service.GetUserByEmailWithUnverified(ctx, email)
-		require.NoError(t, err)
-		require.Len(t, users, 1)
-		require.Equal(t, filteredName, users[0].FullName)
-		require.Equal(t, filteredName, users[0].ShortName)
-	})
-}
-
 func TestAuth_Register_ShortPartnerOrPromo(t *testing.T) {
 	testplanet.Run(t, testplanet.Config{
 		SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,