Skip to content
Snippets Groups Projects
Commit e482e6bd authored by Emmanuel Viennet's avatar Emmanuel Viennet
Browse files

Renforce vérification formulaire de login pour éviter de déclencher une erreur SQL

parent 60567671
No related branches found
No related tags found
No related merge requests found
......@@ -32,7 +32,7 @@ from app.scodoc import sco_etud # a deplacer dans scu
VALID_LOGIN_EXP = re.compile(r"^[a-zA-Z0-9@\\\-_\.]+$")
def is_valid_password(cleartxt):
def is_valid_password(cleartxt) -> bool:
"""Check password.
returns True if OK.
"""
......@@ -49,6 +49,15 @@ def is_valid_password(cleartxt):
return False
def invalid_user_name(user_name: str) -> bool:
"Check that user_name (aka login) is invalid"
return (
(len(user_name) < 2)
or (len(user_name) >= USERNAME_STR_LEN)
or not VALID_LOGIN_EXP.match(user_name)
)
class User(UserMixin, db.Model):
"""ScoDoc users, handled by Flask / SQLAlchemy"""
......@@ -108,7 +117,7 @@ class User(UserMixin, db.Model):
self.roles = []
self.user_roles = []
# check login:
if kwargs.get("user_name") and not VALID_LOGIN_EXP.match(kwargs["user_name"]):
if kwargs.get("user_name") and invalid_user_name(kwargs["user_name"]):
raise ValueError(f"invalid user_name: {kwargs['user_name']}")
super(User, self).__init__(**kwargs)
# Ajoute roles:
......@@ -287,7 +296,7 @@ class User(UserMixin, db.Model):
self.user_name = data["user_name"]
if "password" in data:
self.set_password(data["password"])
if not VALID_LOGIN_EXP.match(self.user_name):
if not invalid_user_name(self.user_name):
raise ValueError(f"invalid user_name: {self.user_name}")
# Roles: roles_string is "Ens_RT, Secr_RT, ..."
if "roles_string" in data:
......
......@@ -19,8 +19,7 @@ from app.auth.forms import (
ResetPasswordRequestForm,
UserCreationForm,
)
from app.auth.models import Role
from app.auth.models import User
from app.auth.models import Role, User, invalid_user_name
from app.auth.email import send_password_reset_email
from app.decorators import admin_required
from app.models.config import ScoDocSiteConfig
......@@ -34,6 +33,10 @@ def _login_form():
"""le formulaire de login, avec un lien CAS s'il est configuré."""
form = LoginForm()
if form.validate_on_submit():
# note: ceci est la première requête SQL déclenchée par un utilisateur arrivant
if invalid_user_name(form.user_name.data):
user = None
else:
user = User.query.filter_by(user_name=form.user_name.data).first()
if user is None or not user.check_password(form.password.data):
current_app.logger.info("login: invalid (%s)", form.user_name.data)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment