From edcaf0868f3145f9ae95ac71e5d2dcfcc495bae7 Mon Sep 17 00:00:00 2001
From: Pavel Baluev <pavel.baluev@parity.io>
Date: Mon, 16 Sep 2024 18:47:00 +0200
Subject: [PATCH] Google auth: sanitize input

---
 src/server/auth/providers/google/index.ts | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/server/auth/providers/google/index.ts b/src/server/auth/providers/google/index.ts
index 9fe90d0c..a513b958 100644
--- a/src/server/auth/providers/google/index.ts
+++ b/src/server/auth/providers/google/index.ts
@@ -67,15 +67,19 @@ export const plugin: FastifyPluginCallback = async (
         // e.g will match =s96-c =s128
         data.picture = data.picture.replace(/=s\d+(-c)?$/, `=s${312}$1`)
       }
+
+      const sanitizeInput = (x: string) =>
+        x.replace(/[\u0000-\u001F\u007F-\u009F]/g, '')
+
       if (!user) {
         user = await fastify.db.User.create({
-          fullName: data.name,
-          email: data.email,
-          avatar: data.picture,
+          fullName: sanitizeInput(data.name),
+          email: sanitizeInput(data.email),
+          avatar: sanitizeInput(data.picture),
           roles: [appConfig.getDefaultUserRoleByEmail(data.email)],
         })
       } else {
-        await user.set({ avatar: data.picture }).save()
+        await user.set({ avatar: sanitizeInput(data.picture) }).save()
       }
 
       // add type to show which parameters are allowed