Prevented a future accidental XSS vulnerability in Register endpoint error

The username parameter was passed to an exception that is currently turned into
json, but in the future the way this exception is handled could have changed.
This commit is contained in:
Risto Lahtela 2021-01-24 11:14:06 +02:00
parent a6c286b0f2
commit c44d3d7a7e

View File

@ -35,7 +35,7 @@ import java.util.Optional;
@Singleton @Singleton
public class RegisterResolver implements NoAuthResolver { public class RegisterResolver implements NoAuthResolver {
private DBSystem dbSystem; private final DBSystem dbSystem;
@Inject @Inject
public RegisterResolver(DBSystem dbSystem) {this.dbSystem = dbSystem;} public RegisterResolver(DBSystem dbSystem) {this.dbSystem = dbSystem;}
@ -58,7 +58,7 @@ public class RegisterResolver implements NoAuthResolver {
String username = query.get("user").orElseThrow(() -> new BadRequestException("'user' parameter not defined")); String username = query.get("user").orElseThrow(() -> new BadRequestException("'user' parameter not defined"));
boolean alreadyExists = dbSystem.getDatabase().query(WebUserQueries.fetchUser(username)).isPresent(); boolean alreadyExists = dbSystem.getDatabase().query(WebUserQueries.fetchUser(username)).isPresent();
if (alreadyExists) throw new BadRequestException("User '" + username + "' already exists!"); if (alreadyExists) throw new BadRequestException("User already exists!");
String password = query.get("password").orElseThrow(() -> new BadRequestException("'password' parameter not defined")); String password = query.get("password").orElseThrow(() -> new BadRequestException("'password' parameter not defined"));
try { try {