php-crud-api icon indicating copy to clipboard operation
php-crud-api copied to clipboard

Published 20 hours ago verified publisher icon mevdschee

Username is not sanitized on registration

Open apps-caraga opened this issue 2 years ago • 5 comments

I'm using dbAuth for a project and one issue I encounter is that the username is not sanitized even if the sanitation middleware is active. For example, a user can input usernames with html tags such as <h1>bigname or <marquee>runningname</marquee> and this gets inserted to the database as-is. I'm using the sanitation middleware per basic example. Any idea how to sanitize username on registration?

SanitationMiddleware config

'middlewares'=>'sanitation,dbAuth,authorization',
'sanitation.tables'=>'all',
'sanitation.handler' => function ($operation, $tableName, $column, $value) {
	return is_string($value) ? strip_tags($value) : $value;
},

The middleware sanitizes/strips html tags from other inputs during updating but not on user creation.

apps-caraga avatar Feb 01 '23 05:02 apps-caraga

The SanitationMiddleware uses the types it reflects from the tables to sanitize. These types are not available for the dbAuth calls. Maybe the dbAuth middleware should do it's own sanitizing? What do you think?

mevdschee avatar Feb 01 '23 21:02 mevdschee

The SanitationMiddleware uses the types it reflects from the tables to sanitize. These types are not available for the dbAuth calls.

I see. I thought the SanitationMiddleware handles all tables. Anyway, for username, it is usually a string so maybe we don't need to reflect or check the column type from the database table.

Perhaps it would be enough to check if the nominated username is a correctly formatted email address (thru FILTER_VALIDATE_EMAIL) as some users seems to prefer to use their email address as username.

If it's not an email address, check if it contains only the characters @,_.-,.letters and numbers, but should always start with a letter. Check also on the minimum and maximum length to prevent super-long usernames. Will these be ok as default username validation?

apps-caraga avatar Feb 02 '23 05:02 apps-caraga

Hi @mevdschee , I checked my PR#911 and I think some commits on that can be applied here. I just don't know how to unbundle the multiple commits on that PR if it can be done. Still learning my way around github. 😢

Particularly, these changes. It sets new properties, $usernameMinLength, $usernameMaxLength, and $usernamePattern.

image

apps-caraga avatar Feb 02 '23 12:02 apps-caraga

I'm using dbAuth for a project and one issue I encounter is that the username is not sanitized even if the sanitation middleware is active. [...] Any idea how to sanitize username on registration?

First of all, I agree and this is something that dbAuth should somehow support.

a user can input usernames with html tags such as <h1>bigname or <marquee>runningname</marquee> and this gets inserted to the database as-is

Whether that is a desirable or not depends on your application.

Perhaps it would be enough to check if the nominated username is a correctly formatted email address

For some applications that is true.

If it's not an email address, check if it contains only the characters @,_.-,.letters and numbers, but should always start with a letter. Check also on the minimum and maximum length to prevent super-long usernames.

For some applications that is desirable..

I think we need some clever applying of SanitationMiddleware to the dbAuth calls.. I just don't know how yet.

mevdschee avatar Mar 22 '23 20:03 mevdschee

On html tags in username,

Whether that is a desirable or not depends on your application.

I think it would be good to have a sane default, for example by excluding html tags in usernames. If for some reason html tags in username is desirable in the application, the application should purposely override the default.

we need some clever applying of SanitationMiddleware to the dbAuth calls

I agree and I also can't figure it out yet. 😁

apps-caraga avatar Mar 27 '23 08:03 apps-caraga

Just a quick note, in case anyone else is having same problem: It is possible to use the customization beforeHandler to do simple sanitation of the username. So after loading the sanitation middleware, we can detect if the current $path is register, then do whatever sanitation check you need to do before sending the $username to the endpoint. In the following simple example, we're just stripping any html tags in the submitted username.

'customization.beforeHandler' => function ($operation, $tableName, $request, $environment) {
			$body = $request->getParsedBody();
			$path = RequestUtils::getPathSegment($request, 1);
			if($path === 'register'  ){
				$body->username = strip_tags($body->username); // assuming the $usernameColumnName is username
				return $request->withParsedBody($body);
			}
		},

apps-caraga avatar Mar 31 '24 05:03 apps-caraga