From e7a555db17fe2316a01f724c210847acdd336612 Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Fri, 10 May 2024 17:26:08 -0700 Subject: [PATCH 1/2] prevent accidental lockout from restrict chars in single pass mode --- .../pages/GeneralSettings/Security/index.jsx | 18 ++++++++++++++---- server/utils/helpers/updateENV.js | 9 ++++++++- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/frontend/src/pages/GeneralSettings/Security/index.jsx b/frontend/src/pages/GeneralSettings/Security/index.jsx index 7d60aadadaf..94655fea626 100644 --- a/frontend/src/pages/GeneralSettings/Security/index.jsx +++ b/frontend/src/pages/GeneralSettings/Security/index.jsx @@ -190,6 +190,7 @@ function MultiUserMode() { ); } +const PW_REGEX = new RegExp(/^[a-zA-Z0-9_\-!@$%^&*();]+$/); function PasswordProtection() { const [saving, setSaving] = useState(false); const [hasChanges, setHasChanges] = useState(false); @@ -200,10 +201,19 @@ function PasswordProtection() { const handleSubmit = async (e) => { e.preventDefault(); if (multiUserModeEnabled) return false; + const form = new FormData(e.target); + + if (!PW_REGEX.test(form.get("password"))) { + showToast( + `Your password has restricted characters in it. Allowed symbols are _,-,!,@,$,%,^,&,*,(,),;`, + "error" + ); + setSaving(false); + return; + } setSaving(true); setHasChanges(false); - const form = new FormData(e.target); const data = { usePassword, newPassword: form.get("password"), @@ -323,9 +333,9 @@ function PasswordProtection() {

- By default, you will be the only admin. As an admin you will - need to create accounts for all new users or admins. Do not lose - your password as only an Admin user can reset passwords. + By default, anyone with this password can log into the instance. + Do not lose this password as only the instance maintainer is + able to retrieve or reset the password once set.

diff --git a/server/utils/helpers/updateENV.js b/server/utils/helpers/updateENV.js index 39223c3343e..aff03dae154 100644 --- a/server/utils/helpers/updateENV.js +++ b/server/utils/helpers/updateENV.js @@ -338,7 +338,7 @@ const KEY_MAPPING = { // System Settings AuthToken: { envKey: "AUTH_TOKEN", - checks: [requiresForceMode], + checks: [requiresForceMode, noRestrictedChars], }, JWTSecret: { envKey: "JWT_SECRET", @@ -574,6 +574,13 @@ function validHuggingFaceEndpoint(input = "") { : null; } +function noRestrictedChars(input = "") { + const regExp = new RegExp(/^[a-zA-Z0-9_\-!@$%^&*();]+$/); + return !regExp.test(input) + ? `Your password has restricted characters in it. It cannot contain backticks, quotes, or # signs.` + : null; +} + // This will force update .env variables which for any which reason were not able to be parsed or // read from an ENV file as this seems to be a complicating step for many so allowing people to write // to the process will at least alleviate that issue. It does not perform comprehensive validity checks or sanity checks From 8fd76c6ab19ef47f957c24ada28c5a9150a30dab Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Fri, 10 May 2024 17:29:28 -0700 Subject: [PATCH 2/2] update error message --- server/utils/helpers/updateENV.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/utils/helpers/updateENV.js b/server/utils/helpers/updateENV.js index aff03dae154..e2f5c7526e9 100644 --- a/server/utils/helpers/updateENV.js +++ b/server/utils/helpers/updateENV.js @@ -577,7 +577,7 @@ function validHuggingFaceEndpoint(input = "") { function noRestrictedChars(input = "") { const regExp = new RegExp(/^[a-zA-Z0-9_\-!@$%^&*();]+$/); return !regExp.test(input) - ? `Your password has restricted characters in it. It cannot contain backticks, quotes, or # signs.` + ? `Your password has restricted characters in it. Allowed symbols are _,-,!,@,$,%,^,&,*,(,),;` : null; }