fix: invalid username checks

2025-06-05 22:09:59 +02:00 · 2023-09-18 22:34:31 +08:00
parent 2375001453
commit bff41a8957
22 changed files with 106 additions and 132 deletions
--- a/api/v2/user_service.go
+++ b/api/v2/user_service.go
@@ -3,6 +3,7 @@ package v2
 import (
 	"context"
 	"net/http"
+	"regexp"
 	"time"

 	"github.com/golang-jwt/jwt/v4"
@@ -20,6 +21,10 @@ import (
 	"github.com/usememos/memos/store"
 )

+var (
+	usernameMatcher = regexp.MustCompile("^[a-z]([a-z0-9-]{2,30}[a-z0-9])?$")
+)
+
 type UserService struct {
 	apiv2pb.UnimplementedUserServiceServer

@@ -72,6 +77,9 @@ func (s *UserService) UpdateUser(ctx context.Context, request *apiv2pb.UpdateUse
 	}
 	for _, path := range request.UpdateMask {
 		if path == "username" {
+			if !usernameMatcher.MatchString(request.User.Username) {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", request.User.Username)
+			}
 			update.Username = &request.User.Username
 		} else if path == "nickname" {
 			update.Nickname = &request.User.Nickname