From 3ea9192f79b8ceeed7233c3e01c6dd47b5a01000 Mon Sep 17 00:00:00 2001 From: Johannes Zellner Date: Fri, 8 Aug 2025 10:07:14 +0200 Subject: [PATCH] Validate user account input during account setup --- src/users.js | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/users.js b/src/users.js index ea121ad9f..4703c83c9 100644 --- a/src/users.js +++ b/src/users.js @@ -887,19 +887,33 @@ async function setupAccount(user, data, auditSource) { assert.strictEqual(typeof data, 'object'); assert(auditSource && typeof auditSource === 'object'); - const profileConfig = await userDirectory.getProfileConfig(); - const tmp = { inviteToken: '' }; - if (profileConfig.lockUserProfiles) { - if (!user.username) throw new BoxError(BoxError.CONFLICT, 'Account cannot be setup without a username'); // error out if admin has not provided a username - } else { - if (data.username) tmp.username = data.username; - if (data.displayName) tmp.displayName = data.displayName; + if (data.username) { + const error = validateUsername(data.username); + if (error) throw error; + + tmp.username = data.username; + } + + if (data.displayName) { + const error = validateDisplayName(data.displayName); + if (error) throw error; + + tmp.displayName = data.displayName; + } + + const error = validatePassword(data.password); + if (error) throw error; + + const profileConfig = await userDirectory.getProfileConfig(); + + // error out if admin has not provided a username + if (profileConfig.lockUserProfiles && !user.username) { + throw new BoxError(BoxError.CONFLICT, 'Account cannot be setup without a username'); } await update(user, tmp, auditSource); - await setPassword(user, data.password, auditSource); const token = { clientId: oidcClients.ID_WEBADMIN, identifier: user.id, expires: Date.now() + constants.DEFAULT_TOKEN_EXPIRATION_MSECS, allowedIpRanges: '' };