GH-2219 Forbid creating access tokens containing a colon symbol (Fix #…

…2219)
dzikoysk · Sep 7, 2024 · 139cda6 · 139cda6
1 parent a9efd16
commit 139cda6
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/reposilite-backend/src/main/kotlin/com/reposilite/token/AccessToken.kt b/reposilite-backend/src/main/kotlin/com/reposilite/token/AccessToken.kt
@@ -42,7 +42,8 @@ data class AccessToken(
 ) {
 
     init {
-        check(name.length < MAX_TOKEN_NAME) { "Name is too long (${name.length} > $MAX_TOKEN_NAME)" }
+        check(name.length < MAX_TOKEN_NAME) { "Access token name is too long (${name.length} > $MAX_TOKEN_NAME)" }
+        check(!name.contains(":")) { "Access token name cannot contain ':' character" }
     }
 
     fun toDto(): AccessTokenDto =
@@ -63,10 +64,10 @@ enum class AccessTokenPermission(val identifier: String, val shortcut: String) {
     companion object {
 
         fun findAccessTokenPermissionByIdentifier(identifier: String): AccessTokenPermission? =
-            values().firstOrNull { it.identifier == identifier }
+            entries.firstOrNull { it.identifier == identifier }
 
         fun findAccessTokenPermissionByShortcut(shortcut: String): AccessTokenPermission? =
-            values().firstOrNull { it.shortcut == shortcut }
+            entries.firstOrNull { it.shortcut == shortcut }
 
         fun findByAny(permission: String): AccessTokenPermission? =
             findAccessTokenPermissionByIdentifier(permission) ?: findAccessTokenPermissionByShortcut(permission)

diff --git a/...silite-backend/src/main/kotlin/com/reposilite/token/infrastructure/AccessTokenCommands.kt b/...silite-backend/src/main/kotlin/com/reposilite/token/infrastructure/AccessTokenCommands.kt
@@ -67,7 +67,20 @@ internal class KeygenCommand(private val accessTokenFacade: AccessTokenFacade) :
 
     override fun execute(context: CommandContext) {
         val mappedPermissions = mapPermissions(context, permissions) ?: return
-        val response = accessTokenFacade.createAccessToken(CreateAccessTokenRequest(PERSISTENT, name, secret = secret))
+
+        if (name.contains(":")) {
+            context.status = FAILED
+            context.append("Token name cannot contain ':' character")
+            return
+        }
+
+        val response = accessTokenFacade.createAccessToken(
+            CreateAccessTokenRequest(
+                type = PERSISTENT,
+                name = name,
+                secret = secret
+            )
+        )
 
         mappedPermissions.forEach {
             accessTokenFacade.addPermission(response.accessToken.identifier, it)
@@ -93,7 +106,7 @@ internal class ChModCommand(private val accessTokenFacade: AccessTokenFacade) :
 
         accessTokenFacade.getAccessToken(name)
             ?.let { token ->
-                AccessTokenPermission.values().forEach { accessTokenFacade.deletePermission(token.identifier, it) }
+                AccessTokenPermission.entries.forEach { accessTokenFacade.deletePermission(token.identifier, it) }
                 mappedPermissions.forEach { accessTokenFacade.addPermission(token.identifier, it) }
                 context.append("Permissions have been changed from to '$permissions'")
             }