From 7d039364b9d666649f678ed214d193edb52df3f4 Mon Sep 17 00:00:00 2001
From: Jeremy Wharton <jeremy.e.wharton@gmail.com>
Date: Tue, 31 Jan 2023 16:37:26 -0600
Subject: [PATCH] satellite/console/.../consoleapi: keep special chars in
 registration info

We no longer use registration information in ways that could be
exploited by malicious agents, so filtering special characters is not
necessary and has been removed.

Resolves storj-private#133

Change-Id: I3eb4803c71ccb307b38f0288fe2af5eec70f8309
---
 .../console/consoleweb/consoleapi/auth.go     | 20 --------
 .../consoleweb/consoleapi/auth_test.go        | 48 -------------------
 2 files changed, 68 deletions(-)

diff --git a/satellite/console/consoleweb/consoleapi/auth.go b/satellite/console/consoleweb/consoleapi/auth.go
index 5ce89937f..298615f33 100644
--- a/satellite/console/consoleweb/consoleapi/auth.go
+++ b/satellite/console/consoleweb/consoleapi/auth.go
@@ -6,9 +6,7 @@ package consoleapi
 import (
 	"encoding/json"
 	"errors"
-	"html/template"
 	"net/http"
-	"regexp"
 	"strings"
 	"time"
 
@@ -205,14 +203,6 @@ func (a *Auth) Logout(w http.ResponseWriter, r *http.Request) {
 	a.cookieAuth.RemoveTokenCookie(w)
 }
 
-// replaceSpecialCharacters replaces characters that could be used to represent a url or html.
-func replaceSpecialCharacters(s string) string {
-	re := regexp.MustCompile(`[\/:\.]`)
-	s = template.HTMLEscapeString(s)
-	s = template.JSEscapeString(s)
-	return re.ReplaceAllString(s, "-")
-}
-
 // Register creates new user, sends activation e-mail.
 // If a user with the given e-mail address already exists, a password reset e-mail is sent instead.
 func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
@@ -267,14 +257,6 @@ func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// remove special characters from submitted info so that malicious link or code cannot be injected anywhere.
-	registerData.FullName = replaceSpecialCharacters(registerData.FullName)
-	registerData.ShortName = replaceSpecialCharacters(registerData.ShortName)
-	registerData.Partner = replaceSpecialCharacters(registerData.Partner)
-	registerData.Position = replaceSpecialCharacters(registerData.Position)
-	registerData.CompanyName = replaceSpecialCharacters(registerData.CompanyName)
-	registerData.EmployeeCount = replaceSpecialCharacters(registerData.EmployeeCount)
-
 	if len([]rune(registerData.Partner)) > 100 {
 		a.serveJSONError(w, console.ErrValidation.Wrap(errs.New("Partner must be less than or equal to 100 characters")))
 		return
@@ -464,8 +446,6 @@ func (a *Auth) UpdateAccount(w http.ResponseWriter, r *http.Request) {
 		a.serveJSONError(w, err)
 		return
 	}
-	updatedInfo.FullName = replaceSpecialCharacters(updatedInfo.FullName)
-	updatedInfo.ShortName = replaceSpecialCharacters(updatedInfo.ShortName)
 
 	if err = a.service.UpdateAccount(ctx, updatedInfo.FullName, updatedInfo.ShortName); err != nil {
 		a.serveJSONError(w, err)
diff --git a/satellite/console/consoleweb/consoleapi/auth_test.go b/satellite/console/consoleweb/consoleapi/auth_test.go
index d9bfeb329..2c2991234 100644
--- a/satellite/console/consoleweb/consoleapi/auth_test.go
+++ b/satellite/console/consoleweb/consoleapi/auth_test.go
@@ -781,54 +781,6 @@ func TestResendActivationEmail(t *testing.T) {
 	})
 }
 
-func TestAuth_Register_NameSpecialChars(t *testing.T) {
-	testplanet.Run(t, testplanet.Config{
-		SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,
-		Reconfigure: testplanet.Reconfigure{
-			Satellite: func(log *zap.Logger, index int, config *satellite.Config) {
-				config.Mail.AuthType = "nomail"
-			},
-		},
-	}, func(t *testing.T, ctx *testcontext.Context, planet *testplanet.Planet) {
-		inputName := "The website has been changed to https://evil.com/login.html<> - Enter Login ' \" Details,"
-		filteredName := "The website has been changed to https---evil-com-login-html\\u0026lt;\\u0026gt; - Enter Login \\u0026#39; \\u0026#34; Details,"
-		email := "user@mail.test"
-		registerData := struct {
-			FullName  string `json:"fullName"`
-			ShortName string `json:"shortName"`
-			Email     string `json:"email"`
-			Password  string `json:"password"`
-		}{
-			FullName:  inputName,
-			ShortName: inputName,
-			Email:     email,
-			Password:  "abc123",
-		}
-
-		jsonBody, err := json.Marshal(registerData)
-		require.NoError(t, err)
-
-		url := planet.Satellites[0].ConsoleURL() + "/api/v0/auth/register"
-		req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(jsonBody))
-		require.NoError(t, err)
-		req.Header.Set("Content-Type", "application/json")
-		result, err := http.DefaultClient.Do(req)
-		require.NoError(t, err)
-		defer func() {
-			err = result.Body.Close()
-			require.NoError(t, err)
-		}()
-		require.Equal(t, http.StatusOK, result.StatusCode)
-		require.Len(t, planet.Satellites, 1)
-		// this works only because we configured 'nomail' above. Mail send simulator won't click to activation link.
-		_, users, err := planet.Satellites[0].API.Console.Service.GetUserByEmailWithUnverified(ctx, email)
-		require.NoError(t, err)
-		require.Len(t, users, 1)
-		require.Equal(t, filteredName, users[0].FullName)
-		require.Equal(t, filteredName, users[0].ShortName)
-	})
-}
-
 func TestAuth_Register_ShortPartnerOrPromo(t *testing.T) {
 	testplanet.Run(t, testplanet.Config{
 		SatelliteCount: 1, StorageNodeCount: 0, UplinkCount: 0,