Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15011

validateObject fails if userName contains single parenthesis

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.0.0, 6.5.0.3
    • Fix Version/s: 7.1.0
    • Component/s: Module - Policy
    • Labels:
    • Target Version/s:
    • Verified Version/s:
    • Sprint:
      2020.13 - IDM
    • Support Ticket IDs:

      Description

      Reproducible on 6.5.0.3 and 7.0.0-SNAPSHOT (build: 20200608083929, revision: ca359bb).

      validateObject fails if managed object userName contains either an open or close parenthesis (not in a pair).
      As a result, user self-registration fails if a user chooses a userName with a single parenthesis.

      TEST CASE:
      ~~~~~~~~

      1. IDM 6.5.0.3.
      2. validateObject an object with userName "user(0":
      $ curl -u openidm-admin:openidm-admin -H "Content-Type: application/json" -X POST "http://host1:8080/openidm/policy/managed/user/*?_action=validateObject" -d '{"userName":"user(0", "givenName":"user.0-givenname", "sn":"user.0-sn", "mail":"user.0@example.com", "preferences":{"updates":false, "marketing":false}, "password":"Passw0rd"}' | jq .
      
      {
        "code": 500,
        "reason": "Internal Server Error",
        "message": "SyntaxError: Unterminated parenthetical ",
        "detail": {}
      }
      • openidm0.log.0:
        Caused by: org.mozilla.javascript.EcmaError: SyntaxError: Unterminated parenthetical (/openidm/bin/defaults/script/policy.js#545)
      • This is due to policy checking for managed user password. By default, it includes this policy:
        {"policyId" : "cannot-contain-others",
           "params" : {
              "disallowedFields" : [
                 "userName",
                 "givenName",
                 "sn"
         ]}}
      • In bin/defaults/bin/policy.js:
            495     policyFunctions.cannotContainOthers = function(fullObject, value, params, property) {
        ...
            537         if (value && typeof(value) === "string" && value.length) {
        ...
            545                 if (typeof(disallowedFieldValue) === "string" && value.match(disallowedFieldValue)) {
            546                     result.push(disallowedFieldName);
            547                 }
        

        The String.match() fails with "Unterminated parenthetical".

      3. If we escape the values before calling String.match(), in policy.js cannotContainOthers:

      $ diff -u policy.js.orig policy.js 
      --- policy.js.orig	2020-02-19 19:08:34.000000000 +0800
      +++ policy.js	2020-06-17 16:30:35.641238527 +0800
      @@ -535,6 +535,9 @@
               }
       
               if (value && typeof(value) === "string" && value.length) {
      +
      +            escapedValue = value.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&");
      +
                   fieldArray.forEach(function (disallowedFieldName) {
                       disallowedFieldValue = getValueFromPointer(fullObject, disallowedFieldName);
       
      @@ -542,7 +545,7 @@
                           disallowedFieldValue = getValueFromPointer(fullObject_server, disallowedFieldName);
                       }
       
      -                if (typeof(disallowedFieldValue) === "string" && value.match(disallowedFieldValue)) {
      +                if (typeof(disallowedFieldValue) === "string" && escapedValue.match(disallowedFieldValue.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&"))) {
                           result.push(disallowedFieldName);
                       }
                   });
      

      => validateObject now succeeds. * However, String.match() returns null on the escaped strings, i.e. it fails to detect when the password contains the userName.

       

        Attachments

          Activity

            People

            Assignee:
            jason.vincent jason vincent
            Reporter:
            wei-yee.lum Wei-Yee Lum
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: