Add new username validation

Changelog: security

Add new username validation
Changelog: security
b14210fd · Małgorzata Ksionek · 55bedf39 · b14210fd · b14210fd · b14210fd
Commit b14210fd authored May 27, 2021 by Małgorzata Ksionek
5 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -235,6 +235,7 @@ class User < ApplicationRecord
  validate :owns_commit_email, if: :commit_email_changed?
  validate :signup_domain_valid?, on: :create, if: ->(user) { !user.created_by_id }
  validate :check_email_restrictions, on: :create, if: ->(user) { !user.created_by_id }
+  validate :check_username_format, if: :username_changed?

  validates :theme_id, allow_nil: true, inclusion: { in: Gitlab::Themes.valid_ids,
    message: _("%{placeholder} is not a valid theme") % { placeholder: '%{value}' } }
@@ -2075,6 +2076,12 @@ class User < ApplicationRecord
    end
  end

+  def check_username_format
+    return if username.blank? || Mime::EXTENSION_LOOKUP.keys.none? { |type| username.end_with?(type) }
+
+    errors.add(:username, _('ending with MIME type format is not allowed.'))
+  end
+
  def groups_with_developer_maintainer_project_access
    project_creation_levels = [::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS]


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -38416,6 +38416,9 @@ msgstr ""
 msgid "encrypted: needs to be a :required, :optional or :migrating!"
 msgstr ""

+msgid "ending with MIME type format is not allowed."
+msgstr ""
+
 msgid "entries cannot be larger than 255 characters"
 msgstr ""


--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -387,6 +387,19 @@ RSpec.describe User do
          expect(user.errors.full_messages).to eq(['Username has already been taken'])
        end
      end
+
+      it 'validates format' do
+        Mime::EXTENSION_LOOKUP.keys.each do |type|
+          user = build(:user, username: "test.#{type}")
+
+          expect(user).not_to be_valid
+          expect(user.errors.full_messages).to include('Username ending with MIME type format is not allowed.')
+        end
+      end
+
+      it 'validates format on updated record' do
+        expect(create(:user).update(username: 'profile.html')).to be_falsey
+      end
    end

    it 'has a DB-level NOT NULL constraint on projects_limit' do

--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -56,7 +56,7 @@ RSpec.describe API::Projects do
  let_it_be(:project, reload: true) { create(:project, :repository, create_branch: 'something_else', namespace: user.namespace) }
  let_it_be(:project2, reload: true) { create(:project, namespace: user.namespace) }
  let_it_be(:project_member) { create(:project_member, :developer, user: user3, project: project) }
-  let_it_be(:user4) { create(:user, username: 'user.with.dot') }
+  let_it_be(:user4) { create(:user, username: 'user.withdot') }
  let_it_be(:project3, reload: true) do
    create(:project,
    :private,

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'

 RSpec.describe API::Users do
  let_it_be(:admin) { create(:admin) }
-  let_it_be(:user, reload: true) { create(:user, username: 'user.with.dot') }
+  let_it_be(:user, reload: true) { create(:user, username: 'user.withdot') }
  let_it_be(:key) { create(:key, user: user) }
  let_it_be(:gpg_key) { create(:gpg_key, user: user) }
  let_it_be(:email) { create(:email, user: user) }