Damaj301damaj/maddy-password-reset
1
0
Fork 0
mirror of https://github.com/hugmouse/maddy-password-reset.git synced 2025-04-19 04:50:25 +00:00
Code Issues Projects Releases Packages Wiki Activity

Sanitize the email input

Browse source 
Sanitize it using regex
This commit is contained in:
Mohamad Damaj 2023-07-21 15:52:10 +03:00 committed by GitHub
parent 9ccd47b236
commit 754578f885
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
main.go
View file

@ -18,6 +18,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"time" "time"
"regexp"
) )
const ( const (
@ -160,18 +161,24 @@ func main() {
e.POST("/reset", func(c echo.Context) error { e.POST("/reset", func(c echo.Context) error {
mail := c.FormValue("email") mail := c.FormValue("email")
// Define a regular expression to match any non-alphanumeric characters
re := regexp.MustCompile("[^a-zA-Z0-9]+")
// Replace any non-alphanumeric characters with an empty string
sanitizedMail := re.ReplaceAllString(mail, "")
go func() { go func() {
// Check if there is already a password reset // Check if there is already a password reset
_, exists := passwordResetCache.Get(mail) _, exists := passwordResetCache.Get(sanitizedMail)
if exists { if exists {
log.Printf("[Cache] Mail %q already exists in cache, ignoring\n", mail) log.Printf("[Cache] Mail %q already exists in cache, ignoring\n", sanitizedMail)
return return
} }
// Check if it's exists in Maddy db // Check if it's exists in Maddy db
// It will return an error is there is no user found // It will return an error is there is no user found
var password string var password string
err = db.QueryRow("SELECT value FROM passwords WHERE key = ?", mail).Scan(&password) err = db.QueryRow("SELECT value FROM passwords WHERE key = ?", sanitizedMail).Scan(&password)
if err != nil { if err != nil {
log.Println("[Sqlite] An error occurred while trying to get password from Maddy database:", err) log.Println("[Sqlite] An error occurred while trying to get password from Maddy database:", err)
return return
@ -179,14 +186,14 @@ func main() {
// Generating an unique key // Generating an unique key
random := randomString(10) random := randomString(10)
passwordResetCache.Set(random, mail, CacheTime) passwordResetCache.Set(random, sanitizedMail, CacheTime)
// Connect to the server, authenticate, set the sender and recipient, // Connect to the server, authenticate, set the sender and recipient,
// and send the email all in one step. // and send the email all in one step.
to := []string{mail} to := []string{sanitizedMail}
if !DebugBypassMailSending { if !DebugBypassMailSending {
msg := strings.ReplaceAll(EmailTemplate, "$TO", mail) msg := strings.ReplaceAll(EmailTemplate, "$TO", sanitizedMail)
msg = strings.ReplaceAll(msg, "$FROM", EmailFrom) msg = strings.ReplaceAll(msg, "$FROM", EmailFrom)
msg = strings.ReplaceAll(msg, "$SUBJECT", EmailSubject) msg = strings.ReplaceAll(msg, "$SUBJECT", EmailSubject)
msg = strings.ReplaceAll(msg, "$MESSAGE", EmailMessage) msg = strings.ReplaceAll(msg, "$MESSAGE", EmailMessage)
@ -221,12 +228,12 @@ func main() {
e.POST("/reset/:key", func(c echo.Context) error { e.POST("/reset/:key", func(c echo.Context) error {
key := c.Param("key") key := c.Param("key")
password := c.FormValue("password") password := c.FormValue("password")
mail, exists := passwordResetCache.Get(key) sanitizedMail, exists := passwordResetCache.Get(key)
if exists { if exists {
passwordResetCache.Delete(key) passwordResetCache.Delete(key)
} }
maddyExecCommand := exec.Command("maddy", "creds", "password", "-p", password, mail.(string)) maddyExecCommand := exec.Command("maddy", "creds", "password", "-p", password, sanitizedMail.(string))
err = maddyExecCommand.Run() err = maddyExecCommand.Run()
if err != nil { if err != nil {
log.Println("[maddyExecCommand] Failed to execute Maddy's password reset command - ", err) log.Println("[maddyExecCommand] Failed to execute Maddy's password reset command - ", err)
@ -235,7 +242,6 @@ func main() {
return c.String(http.StatusOK, "All good! Your password is now changed.") return c.String(http.StatusOK, "All good! Your password is now changed.")
}) })
log.Println("[echo] Starting Echo web server") log.Println("[echo] Starting Echo web server")
e.Logger.Fatal(e.Start(":" + strconv.Itoa(HTTPServerPort))) e.Logger.Fatal(e.Start(":" + strconv.Itoa(HTTPServerPort)))
} }