From 0604d9f31df271234e6b4efddcc61d0e27ccef56 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Sun, 21 Jun 2020 22:33:59 -0700 Subject: [PATCH] Fixed adduserbatch validation. --- meshuser.js | 36 +++++++++++++++++++++++------------- webserver.js | 12 +++++++++++- 2 files changed, 34 insertions(+), 14 deletions(-) diff --git a/meshuser.js b/meshuser.js index 3769d891..8fd8afa6 100644 --- a/meshuser.js +++ b/meshuser.js @@ -1596,21 +1596,31 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use } case 'adduserbatch': { + var err = null; + // Add many new user accounts - if ((user.siteadmin & 2) == 0) break; - if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) break; - if (!Array.isArray(command.users)) break; - var userCount = 0; - for (var i in command.users) { - if (domain.usernameisemail) { if (command.users[i].email) { command.users[i].user = command.users[i].email; } else { command.users[i].email = command.users[i].user; } } // If the email is the username, set this here. - if (common.validateUsername(command.users[i].user, 1, 256) == false) break; // Username is between 1 and 64 characters, no spaces - if ((command.users[i].user[0] == '~') || (command.users[i].user.indexOf('/') >= 0)) break; // This is a reserved user name or invalid name - if (common.validateString(command.users[i].pass, 1, 256) == false) break; // Password is between 1 and 256 characters - if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) break; // Password does not meet requirements - if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) break; // Check if this is a valid email address - userCount++; + if ((user.siteadmin & 2) == 0) { err = 'Access denied'; } + else if ((domain.auth == 'sspi') || (domain.auth == 'ldap')) { err = 'Unable to create users when in SSPI or LDAP mode'; } + else if (!Array.isArray(command.users)) { err = 'Invalid users'; } + else { + var userCount = 0; + for (var i in command.users) { + if (domain.usernameisemail) { if (command.users[i].email) { command.users[i].user = command.users[i].email; } else { command.users[i].email = command.users[i].user; } } // If the email is the username, set this here. + if (common.validateUsername(command.users[i].user, 1, 256) == false) { err = 'Invalid username'; break; } // Username is between 1 and 64 characters, no spaces + if ((command.users[i].user[0] == '~') || (command.users[i].user.indexOf('/') >= 0)) { err = 'Invalid username'; break; } // This is a reserved user name or invalid name + if (common.validateString(command.users[i].pass, 1, 256) == false) { err = 'Invalid password'; break; } // Password is between 1 and 256 characters + if (common.checkPasswordRequirements(command.users[i].pass, domain.passwordrequirements) == false) { err = 'Invalid password'; break; } // Password does not meet requirements + if ((command.users[i].email != null) && (common.validateEmail(command.users[i].email, 1, 1024) == false)) { err = 'Invalid email'; break; } // Check if this is a valid email address + userCount++; + } } - + + // Handle any errors + if (err != null) { + if (command.responseid != null) { try { ws.send(JSON.stringify({ action: 'adduserbatch', responseid: command.responseid, result: err })); } catch (ex) { } } + break; + } + // Check if we exceed the maximum number of user accounts db.isMaxType(domain.limits.maxuseraccounts + userCount, 'user', domain.id, function (maxExceed) { if (maxExceed) { diff --git a/webserver.js b/webserver.js index fe19870e..9a7bec2b 100644 --- a/webserver.js +++ b/webserver.js @@ -2615,9 +2615,18 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { const domain = getDomain(req); if (domain == null) { parent.debug('web', 'handleMeScriptRequest: no domain'); res.sendStatus(404); return; } if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key - if ((obj.userAllowedIp != null) && (checkIpAddressEx(req, res, obj.userAllowedIp, false) === false)) { return; } // Check server-wide IP filter only. + + // Get the user and check user rights + var authUserid = null; + if ((req.session != null) && (typeof req.session.userid == 'string')) { authUserid = req.session.userid; } + if (authUserid == null) { res.sendStatus(401); return; } + const user = obj.users[authUserid]; + if (user == null) { res.sendStatus(401); return; } + if ((req.query.type == 1) && (req.query.meshid != null)) { + // Get the CIRA install script + if (obj.IsMeshViewable(user, req.query.meshid) == false) { res.sendStatus(404); return; } obj.getCiraConfigurationScript(req.query.meshid, function (script) { if (script == null) { res.sendStatus(404); } else { try { @@ -2630,6 +2639,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { } }); } else if (req.query.type == 2) { + // Get the CIRA cleanup script obj.getCiraCleanupScript(function (script) { if (script == null) { res.sendStatus(404); } else { res.set({ 'Cache-Control': 'no-cache, no-store, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Type': 'application/octet-stream', 'Content-Disposition': 'attachment; filename="cira_cleanup.mescript"' });