From 139cda6e1af0287eeec56b9e8c8457704a6e230b Mon Sep 17 00:00:00 2001 From: dzikoysk Date: Sat, 7 Sep 2024 14:25:36 +0200 Subject: [PATCH] GH-2219 Forbid creating access tokens containing a colon symbol (Fix #2219) --- .../kotlin/com/reposilite/token/AccessToken.kt | 7 ++++--- .../token/infrastructure/AccessTokenCommands.kt | 17 +++++++++++++++-- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/reposilite-backend/src/main/kotlin/com/reposilite/token/AccessToken.kt b/reposilite-backend/src/main/kotlin/com/reposilite/token/AccessToken.kt index b6000d056..16175531c 100644 --- a/reposilite-backend/src/main/kotlin/com/reposilite/token/AccessToken.kt +++ b/reposilite-backend/src/main/kotlin/com/reposilite/token/AccessToken.kt @@ -42,7 +42,8 @@ data class AccessToken( ) { init { - check(name.length < MAX_TOKEN_NAME) { "Name is too long (${name.length} > $MAX_TOKEN_NAME)" } + check(name.length < MAX_TOKEN_NAME) { "Access token name is too long (${name.length} > $MAX_TOKEN_NAME)" } + check(!name.contains(":")) { "Access token name cannot contain ':' character" } } fun toDto(): AccessTokenDto = @@ -63,10 +64,10 @@ enum class AccessTokenPermission(val identifier: String, val shortcut: String) { companion object { fun findAccessTokenPermissionByIdentifier(identifier: String): AccessTokenPermission? = - values().firstOrNull { it.identifier == identifier } + entries.firstOrNull { it.identifier == identifier } fun findAccessTokenPermissionByShortcut(shortcut: String): AccessTokenPermission? = - values().firstOrNull { it.shortcut == shortcut } + entries.firstOrNull { it.shortcut == shortcut } fun findByAny(permission: String): AccessTokenPermission? = findAccessTokenPermissionByIdentifier(permission) ?: findAccessTokenPermissionByShortcut(permission) diff --git a/reposilite-backend/src/main/kotlin/com/reposilite/token/infrastructure/AccessTokenCommands.kt b/reposilite-backend/src/main/kotlin/com/reposilite/token/infrastructure/AccessTokenCommands.kt index 0acca849d..98727f1aa 100644 --- a/reposilite-backend/src/main/kotlin/com/reposilite/token/infrastructure/AccessTokenCommands.kt +++ b/reposilite-backend/src/main/kotlin/com/reposilite/token/infrastructure/AccessTokenCommands.kt @@ -67,7 +67,20 @@ internal class KeygenCommand(private val accessTokenFacade: AccessTokenFacade) : override fun execute(context: CommandContext) { val mappedPermissions = mapPermissions(context, permissions) ?: return - val response = accessTokenFacade.createAccessToken(CreateAccessTokenRequest(PERSISTENT, name, secret = secret)) + + if (name.contains(":")) { + context.status = FAILED + context.append("Token name cannot contain ':' character") + return + } + + val response = accessTokenFacade.createAccessToken( + CreateAccessTokenRequest( + type = PERSISTENT, + name = name, + secret = secret + ) + ) mappedPermissions.forEach { accessTokenFacade.addPermission(response.accessToken.identifier, it) @@ -93,7 +106,7 @@ internal class ChModCommand(private val accessTokenFacade: AccessTokenFacade) : accessTokenFacade.getAccessToken(name) ?.let { token -> - AccessTokenPermission.values().forEach { accessTokenFacade.deletePermission(token.identifier, it) } + AccessTokenPermission.entries.forEach { accessTokenFacade.deletePermission(token.identifier, it) } mappedPermissions.forEach { accessTokenFacade.addPermission(token.identifier, it) } context.append("Permissions have been changed from to '$permissions'") }