From 280fa7a44532d56e719cc18453e61811d606a4f5 Mon Sep 17 00:00:00 2001 From: tamassoltesz Date: Fri, 27 Sep 2024 17:46:32 +0200 Subject: [PATCH] fix: validating firstFactors not to contain special chars --- CHANGELOG.md | 2 ++ build.gradle | 2 +- .../api/multitenancy/BaseCreateOrUpdate.java | 12 ++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 001af5c22..b9e2869fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## Unreleased +- Adds validation to firstFactors name while creating tenants/apps/etc. to not allow special chars. + ## [9.2.2] - 2024-09-04 - Adds index on `last_active_time` for `user_last_active` table to improve the performance of MAU computation. diff --git a/build.gradle b/build.gradle index c565f1bdc..7ede11ac5 100644 --- a/build.gradle +++ b/build.gradle @@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" } // } //} -version = "9.2.2" +version = "9.2.3" repositories { diff --git a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java index 2ee4aeb46..e0eb9fb13 100644 --- a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java +++ b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java @@ -102,6 +102,7 @@ protected void handle(HttpServletRequest req, HttpServletResponse resp, TenantId // Apply updates based on CDI version tenantConfig = applyTenantUpdates(tenantConfig, getVersionFromRequest(req), isV2, input); + validateFirstFactorsName(tenantConfig); // Write tenant config to db createOrUpdate(req, sourceTenantIdentifier, tenantConfig); @@ -938,6 +939,17 @@ private static TenantConfig applyTenantUpdates_5_0(TenantConfig tenantConfig, Js return tenantConfig; } + private static void validateFirstFactorsName(TenantConfig tenantConfig) throws ServletException { + if(tenantConfig.firstFactors != null && tenantConfig.firstFactors.length > 0) { + String allowedPattern = "^[0-9a-z-]+$"; + for(String firstFactor: tenantConfig.firstFactors){ + if(firstFactor != null && !firstFactor.matches(allowedPattern)){ + throw new ServletException(new BadRequestException("firstFactors should not contain only 0-9,a-z,- characters")); + } + } + } + } + private static TenantConfig applyV2TenantUpdates_5_1(TenantConfig tenantConfig, JsonObject input) throws ServletException { if (input.has("emailPasswordEnabled")) {