notfire/Iceshrimp.NET
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[backend/core] Prevent system users from authenticating or creating notes

Browse source
This commit is contained in:
Laura Hausmann 2024-10-09 21:39:32 +02:00
parent 5390990448
commit 846888b2c7
No known key found for this signature in database
GPG key ID: D044E84C5BE01605
3 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Iceshrimp.Backend/Controllers/Web/AuthController.cs
View file

@ -54,6 +54,8 @@ public class AuthController(DatabaseContext db, UserService userSvc, UserRendere
p.UsernameLower == request.Username.ToLowerInvariant());
if (user == null)
throw GracefulException.Forbidden("Invalid username or password");
if (user.IsSystemUser)
throw GracefulException.BadRequest("Cannot log in as system user");
var settings = await db.UserSettings.FirstOrDefaultAsync(p => p.User == user);
if (settings?.Password == null)
throw GracefulException.Forbidden("Invalid username or password");

2
Iceshrimp.Backend/Core/Services/NoteService.cs
View file

@ -110,6 +110,8 @@ public class NoteService(
throw GracefulException.UnprocessableEntity($"Note was rejected by {policy.Name}");
if (data.User.IsLocalUser && (data.Text?.Length ?? 0) + (data.Cw?.Length ?? 0) > config.Value.CharacterLimit)
throw GracefulException.UnprocessableEntity($"Text & content warning cannot exceed {config.Value.CharacterLimit} characters in total");
if (data.User.IsSystemUser)
throw GracefulException.BadRequest("System users cannot create notes");
if (data.Text is { Length: > 100000 })
throw GracefulException.UnprocessableEntity("Text cannot be longer than 100.000 characters");
if (data.Cw is { Length: > 100000 })

1
Iceshrimp.Backend/Pages/OAuth/Authorize.cshtml.cs
View file

@ -71,6 +71,7 @@ public class AuthorizeModel(DatabaseContext db) : PageModel
user = await db.Users.FirstOrDefaultAsync(p => p.IsLocalUser &&
p.UsernameLower == username.ToLowerInvariant()) ??
throw Forbidden();
if (user.IsSystemUser) throw GracefulException.BadRequest("Cannot log in as system user");
var userSettings = await db.UserSettings.FirstOrDefaultAsync(p => p.User == user);
if (userSettings?.Password == null)
throw Forbidden();