fix: handle password being undefined when validating (#809)

2025-04-15 01:16:22 +02:00 · 2021-04-27 15:35:10 +02:00 · 2021-04-27 15:35:10 +02:00 · d0b17af770
commit d0b17af770
parent 578078e03f
4 changed files with 66 additions and 4 deletions
--- a/src/lib/error/password-undefined.ts
+++ b/src/lib/error/password-undefined.ts
@ -0,0 +1,23 @@
+export default class PasswordUndefinedError extends Error {
+    constructor() {
+        super();
+        Error.captureStackTrace(this, this.constructor);
+
+        this.name = this.constructor.name;
+        this.message = 'Password cannot be empty or undefined';
+    }
+
+    toJSON(): any {
+        const obj = {
+            isJoi: true,
+            name: this.constructor.name,
+            details: [
+                {
+                    validationErrors: [],
+                    message: 'Password cannot be empty or undefined',
+                },
+            ],
+        };
+        return obj;
+    }
+}
--- a/src/lib/routes/admin-api/util.js
+++ b/src/lib/routes/admin-api/util.js
@ -67,6 +67,11 @@ const handleErrors = (res, logger, error) => {
                .status(400)
                .json(error)
                .end();
+        case 'PasswordUndefinedError':
+            return res
+                .status(400)
+                .json(error)
+                .end();
        default:
            logger.error('Server failed executing request', error);
            return res.status(500).end();
--- a/src/lib/services/user-service.ts
+++ b/src/lib/services/user-service.ts
@ -18,6 +18,7 @@ import { IUnleashConfig } from '../types/option';
 import SessionService from './session-service';
 import { IUnleashServices } from '../types/services';
 import { IUnleashStores } from '../types/stores';
+import PasswordUndefinedError from '../error/password-undefined';

 export interface ICreateUser {
    name?: string;
@ -94,10 +95,14 @@ class UserService {
    }

    validatePassword(password: string): boolean {
-        const result = owasp.test(password);
-        if (!result.strong) {
-            throw new OwaspValidationError(result);
-        } else return true;
+        if (password) {
+            const result = owasp.test(password);
+            if (!result.strong) {
+                throw new OwaspValidationError(result);
+            } else return true;
+        } else {
+            throw new PasswordUndefinedError();
+        }
    }

    async initAdminUser(): Promise<void> {
--- a/src/test/e2e/api/auth/reset-password-controller.e2e.test.ts
+++ b/src/test/e2e/api/auth/reset-password-controller.e2e.test.ts
@ -257,3 +257,32 @@ test.serial(
            .expect(res => t.is(res.status, 401));
    },
 );
+
+test.serial(
+    'Trying to change password to undefined should yield 400 without crashing the server',
+    async t => {
+        t.plan(0);
+        const request = await setupApp(stores);
+        const url = await resetTokenService.createResetPasswordUrl(
+            user.id,
+            adminUser.username,
+        );
+        const relative = getBackendResetUrl(url);
+        let token;
+        await request
+            .get(relative)
+            .expect(200)
+            .expect('Content-Type', /json/)
+            .expect(res => {
+                token = res.body.token;
+            });
+        await request
+            .post('/auth/reset/password')
+            .send({
+                email: user.email,
+                token,
+                password: undefined,
+            })
+            .expect(400);
+    },
+);