Damaj301damaj/maddy-password-reset
1
0
Fork 0
mirror of https://github.com/hugmouse/maddy-password-reset.git synced 2025-04-19 04:50:25 +00:00
Code Issues Projects Releases Packages Wiki Activity

Sanitize the email input

Browse source 
Sanitize it using regex
This commit is contained in:
Mohamad Damaj 2023-07-21 15:52:10 +03:00 committed by GitHub
parent 9ccd47b236
commit 754578f885
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
main.go
View file

@ -18,6 +18,7 @@ import (
"strconv"
"strings"
"time"
"regexp"
)
const (
@ -160,18 +161,24 @@ func main() {
e.POST("/reset", func(c echo.Context) error {
mail := c.FormValue("email")
// Define a regular expression to match any non-alphanumeric characters
re := regexp.MustCompile("[^a-zA-Z0-9]+")
// Replace any non-alphanumeric characters with an empty string
sanitizedMail := re.ReplaceAllString(mail, "")
go func() {
// Check if there is already a password reset
_, exists := passwordResetCache.Get(mail)
_, exists := passwordResetCache.Get(sanitizedMail)
if exists {
log.Printf("[Cache] Mail %q already exists in cache, ignoring\n", mail)
log.Printf("[Cache] Mail %q already exists in cache, ignoring\n", sanitizedMail)
return
}
// Check if it's exists in Maddy db
// It will return an error is there is no user found
var password string
err = db.QueryRow("SELECT value FROM passwords WHERE key = ?", mail).Scan(&password)
err = db.QueryRow("SELECT value FROM passwords WHERE key = ?", sanitizedMail).Scan(&password)
if err != nil {
log.Println("[Sqlite] An error occurred while trying to get password from Maddy database:", err)
return
@ -179,14 +186,14 @@ func main() {
// Generating an unique key
random := randomString(10)
passwordResetCache.Set(random, mail, CacheTime)
passwordResetCache.Set(random, sanitizedMail, CacheTime)
// Connect to the server, authenticate, set the sender and recipient,
// and send the email all in one step.
to := []string{mail}
to := []string{sanitizedMail}
if !DebugBypassMailSending {
msg := strings.ReplaceAll(EmailTemplate, "$TO", mail)
msg := strings.ReplaceAll(EmailTemplate, "$TO", sanitizedMail)
msg = strings.ReplaceAll(msg, "$FROM", EmailFrom)
msg = strings.ReplaceAll(msg, "$SUBJECT", EmailSubject)
msg = strings.ReplaceAll(msg, "$MESSAGE", EmailMessage)
@ -221,12 +228,12 @@ func main() {
e.POST("/reset/:key", func(c echo.Context) error {
key := c.Param("key")
password := c.FormValue("password")
mail, exists := passwordResetCache.Get(key)
sanitizedMail, exists := passwordResetCache.Get(key)
if exists {
passwordResetCache.Delete(key)
}
maddyExecCommand := exec.Command("maddy", "creds", "password", "-p", password, mail.(string))
maddyExecCommand := exec.Command("maddy", "creds", "password", "-p", password, sanitizedMail.(string))
err = maddyExecCommand.Run()
if err != nil {
log.Println("[maddyExecCommand] Failed to execute Maddy's password reset command - ", err)
@ -235,7 +242,6 @@ func main() {
return c.String(http.StatusOK, "All good! Your password is now changed.")
})
log.Println("[echo] Starting Echo web server")
e.Logger.Fatal(e.Start(":" + strconv.Itoa(HTTPServerPort)))
}