From c44d3d7a7e9e9e3abf5a8129d8cded5336102155 Mon Sep 17 00:00:00 2001 From: Risto Lahtela <24460436+Rsl1122@users.noreply.github.com> Date: Sun, 24 Jan 2021 11:14:06 +0200 Subject: [PATCH] Prevented a future accidental XSS vulnerability in Register endpoint error The username parameter was passed to an exception that is currently turned into json, but in the future the way this exception is handled could have changed. --- .../delivery/webserver/resolver/auth/RegisterResolver.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java index bca0bc2bb..3b7ce4154 100644 --- a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java +++ b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java @@ -35,7 +35,7 @@ import java.util.Optional; @Singleton public class RegisterResolver implements NoAuthResolver { - private DBSystem dbSystem; + private final DBSystem dbSystem; @Inject public RegisterResolver(DBSystem dbSystem) {this.dbSystem = dbSystem;} @@ -58,7 +58,7 @@ public class RegisterResolver implements NoAuthResolver { String username = query.get("user").orElseThrow(() -> new BadRequestException("'user' parameter not defined")); boolean alreadyExists = dbSystem.getDatabase().query(WebUserQueries.fetchUser(username)).isPresent(); - if (alreadyExists) throw new BadRequestException("User '" + username + "' already exists!"); + if (alreadyExists) throw new BadRequestException("User already exists!"); String password = query.get("password").orElseThrow(() -> new BadRequestException("'password' parameter not defined")); try {