From b69f92dbdca8c18c93ce25c3e95c7ec2d2b3d98f Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Wed, 14 Aug 2024 00:40:58 +0200
Subject: [PATCH] [backend/core] Stricter local user username validation

---
 Iceshrimp.Backend/Core/Services/UserService.cs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Iceshrimp.Backend/Core/Services/UserService.cs b/Iceshrimp.Backend/Core/Services/UserService.cs
index 63a71c05..3d4350b0 100644
--- a/Iceshrimp.Backend/Core/Services/UserService.cs
+++ b/Iceshrimp.Backend/Core/Services/UserService.cs
@@ -1,6 +1,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
 using System.Security.Cryptography;
+using System.Text.RegularExpressions;
 using AsyncKeyedLock;
 using EntityFramework.Exceptions.Common;
 using Iceshrimp.Backend.Core.Configuration;
@@ -377,8 +378,8 @@ public class UserService(
 		if (security.Value.Registrations == Enums.Registrations.Invite &&
 		    !await db.RegistrationInvites.AnyAsync(p => p.Code == invite))
 			throw new GracefulException(HttpStatusCode.Forbidden, "The specified invite code is invalid");
-		if (username.Contains('.'))
-			throw new GracefulException(HttpStatusCode.BadRequest, "Username must not contain the dot character");
+		if (!Regex.IsMatch(username, @"^\w+$"))
+			throw new GracefulException(HttpStatusCode.BadRequest, "Username must only contain letters");
 		if (Constants.SystemUsers.Contains(username.ToLowerInvariant()))
 			throw new GracefulException(HttpStatusCode.BadRequest, "Username must not be a system user");
 		if (await db.Users.AnyAsync(p => p.IsLocalUser && p.UsernameLower == username.ToLowerInvariant()))