submission,username,password length limits

Tkaixiang · Tkaixiang · commit c0c9e326f3b3 · 2022-01-02T11:58:13.000+08:00
diff --git a/api/controllers/Accounts.js b/api/controllers/Accounts.js
@@ -185,7 +185,11 @@ const login = async (req, res) => {
         let user = null
         if (/^[a-zA-Z0-9_]+$/.test(req.body.username)) user = await collections.users.findOne({ username: req.body.username.toLowerCase() });
         else user = await collections.users.findOne({ email: req.body.username.toLowerCase() });
+
+        if (req.body.password.length > 200 || req.body.password.length < 1) throw new Error('WrongDetails');
+
         if (!user) throw new Error('WrongDetails');
+
         else if (await argon2.verify(user.password, req.body.password)) {
             if (NodeCacheObj.get("emailVerify") && "code" in user) {
                 res.send({ success: false, error: "need-verify", emailVerify: user.email })
@@ -242,10 +246,14 @@ const create = async (req, res) => {
         }
 
         if (!/^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/.test(req.body.email)) throw new Error('BadEmail');
-        if (!/^[a-zA-Z0-9_]+$/.test(req.body.username)) return res.send({
+        if (!/^[a-zA-Z0-9_]{1,50}$/.test(req.body.username)) return res.send({
             success: false,
             error: "bad-username"
         })
+        if (req.body.password.length > 200 || req.body.password.length < 1)  return res.send({
+            success: false,
+            error: "bad-password"
+        })
         let responseObj = { success: true }
         let insertObj = {
             username: req.body.username.toLowerCase(),
diff --git a/api/controllers/Challenges.js b/api/controllers/Challenges.js
@@ -460,6 +460,7 @@ const submit = async (req, res) => {
                 type: 'submission'
             }) >= chall.max_attempts) throw new Error('Exceeded');
         }
+        if (req.body.flag.length > 1000) throw new Error('InvalidFlagLength');
         let submitted = false
         if (NodeCacheObj.get("teamMode") && req.locals.username in usernameTeamCache) {
             const team = usernameTeamCache[req.locals.username]
@@ -589,7 +590,7 @@ const submit = async (req, res) => {
 
             await insertTransaction(true);
             await collections.cache.updateOne({}, { '$set': { latestSolveSubmissionID: latestSolveSubmissionID } })
-            
+
             res.send({
                 success: true,
                 data: 'correct'
@@ -628,6 +629,13 @@ const submit = async (req, res) => {
                     error: 'exceeded'
                 });
                 return;
+            case 'InvalidFlagLength':
+                res.code(403);
+                res.send({
+                    success: false,
+                    error: 'InvalidFlagLength'
+                });
+                return;
             default:
                 throw new Error(err)
         }
@@ -656,6 +664,9 @@ const newChall = async (req, res) => {
             initial: req.body.initial,
             minSolves: req.body.minSolves
         };
+        for (let i = 0; i < req.body.flags.length; i++) {
+            if (!(req.body.flags[i].length <= 1000 && req.body.flags[i].length >= 1)) throw new Error('InvalidFlagLength');
+        }
         if (req.body.tags) doc.tags = req.body.tags;
         if (req.body.hints) {
             doc.hints = req.body.hints;
@@ -721,14 +732,23 @@ const newChall = async (req, res) => {
                 error: 'validation'
             });
         }
+        else if (err.message == 'InvalidFlagLength') {
+            res.code(400);
+            res.send({
+                success: false,
+                error: 'validation'
+            });
+        }
     }
 }
 
 const edit = async (req, res) => {
     const collections = Connection.collections
     try {
         if (req.locals.perms < 2) throw new Error('Permissions');
-
+        for (let i = 0; i < req.body.flags.length; i++) {
+            if (!(req.body.flags[i].length <= 1000 && req.body.flags[i].length >= 1)) throw new Error('InvalidFlagLength');
+        }
 
         let updateObj = {};
         let unsetObj = {};
@@ -742,6 +762,7 @@ const edit = async (req, res) => {
                 }
             }
         }
+
         let latestSolveSubmissionID = NodeCacheObj.get("latestSolveSubmissionID")
         latestSolveSubmissionID += 1
         NodeCacheObj.set("latestSolveSubmissionID", latestSolveSubmissionID)
@@ -804,6 +825,13 @@ const edit = async (req, res) => {
                 error: 'validation'
             });
         }
+        else if (err.message == 'InvalidFlagLength') {
+            res.code(400);
+            res.send({
+                success: false,
+                error: 'validation'
+            });
+        }
         if (err.name == 'MongoServerError') {
             switch (err.code) {
                 case 11000:
diff --git a/client/src/AdminPanel/adminChallengeCreate.js b/client/src/AdminPanel/adminChallengeCreate.js
@@ -272,7 +272,7 @@ const CreateChallengeForm = (props) => {
                                                 {...field}
                                                 name={[field.name]}
                                                 fieldKey={[field.fieldKey]}
-                                                rules={[{ required: true, message: 'Missing flag' }]}
+                                                rules={[{ required: true, message: 'Missing flag' }, { message: "Please enter a flag that is < 1000 characters", pattern: /^.{1,1000}$/ }]}
                                             >
                                                 <Input style={{ width: "50ch" }} placeholder="Flag" />
                                             </Form.Item>
diff --git a/client/src/AdminPanel/adminChallengeEdit.js b/client/src/AdminPanel/adminChallengeEdit.js
@@ -29,7 +29,7 @@ const CreateChallengeForm = (props) => {
 
     //Render existing categories select options
 
-    useEffect(() =>  {
+    useEffect(() => {
         let existingCats = []
         for (let i = 0; i < props.allCat.length; i++) {
             existingCats.push(<Option key={props.allCat[i].key} value={props.allCat[i].key}>{props.allCat[i].key}</Option>)
@@ -297,7 +297,7 @@ const CreateChallengeForm = (props) => {
                                                 {...field}
                                                 name={[field.name]}
                                                 fieldKey={[field.fieldKey]}
-                                                rules={[{ required: true, message: 'Missing flag' }]}
+                                                rules={[{ required: true, message: 'Missing flag' }, { message: "Please enter a flag that is < 1000 characters", pattern: /^.{1,1000}$/ }]}
                                             >
                                                 <Input style={{ width: "50ch" }} placeholder="Flag" />
                                             </Form.Item>
diff --git a/client/src/Challenges/challengesTagSort.js b/client/src/Challenges/challengesTagSort.js
@@ -487,6 +487,14 @@ class ChallengesTagSort extends React.Component {
             duration: 3
           });
         }
+        else if (data.error === "InvalidFlagLength") {
+          notification["error"]({
+            message: 'Oops. Your flag is too long.',
+            description:
+              'Please do not spam the server with submissions that are too long.',
+            duration: 3
+          });
+        }
         else {
           console.log(data.error)
           message.error({ content: "Oops. Unknown error" })
diff --git a/client/src/Login/login.js b/client/src/Login/login.js
@@ -404,7 +404,7 @@ class Login extends React.Component {
                                     <Form.Item
                                         name="username"
                                         
-                                        rules={[{ required: true, message: 'Please enter a username' }, { message: "Please enter an alphanumeric username (without spaces)", pattern: /^[a-zA-Z0-9_]+$/ }]}
+                                        rules={[{ required: true, message: 'Please enter a username' }, { message: "Please enter an alphanumeric username (without spaces) <= 50 characters.", pattern: /^[a-zA-Z0-9_]{1,50}$/ }]}
                                     >
                                         <Input id="register-username" allowClear prefix={<UserOutlined className="site-form-item-icon" />} placeholder="Enter a new username" />
                                     </Form.Item>
@@ -428,6 +428,7 @@ class Login extends React.Component {
                                                 required: true,
                                                 message: 'Please input your password!',
                                             },
+                                            { message: "Please enter a password that is >= 1 character and <= 200 characters", pattern: /^.{1,200}$/ }
                                         ]}
                                         hasFeedback
                                     >

Original file line number	Diff line number	Diff line change
`@@ -272,7 +272,7 @@ const CreateChallengeForm = (props) => {`
`272`	`272`	`{...field}`
`273`	`273`	`name={[field.name]}`
`274`	`274`	`fieldKey={[field.fieldKey]}`
`275`		`- rules={[{ required: true, message: 'Missing flag' }]}`
	`275`	`+ rules={[{ required: true, message: 'Missing flag' }, { message: "Please enter a flag that is < 1000 characters", pattern: /^.{1,1000}$/ }]}`
`276`	`276`	`>`
`277`	`277`	`<Input style={{ width: "50ch" }} placeholder="Flag" />`
`278`	`278`	`</Form.Item>`