validate username and fixes

2026-02-11 13:45:25 +03:00 · 2024-05-12 09:51:43 -05:00 · 2024-05-12 09:51:43 -05:00 · 30b9c6237f
commit 30b9c6237f
parent 1284704293
1 changed files with 5 additions and 1 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@ -5,6 +5,7 @@ import hashlib
 import json
 import logging
 import os
+import re
 import secrets
 import time
 from datetime import datetime
@ -239,6 +240,9 @@ def create_user():

    request_data = request.get_json()

+    if not re.match("^[A-Za-z0-9._]+$", request_data.get("username", "")):
+        make_response({"message": "Invalid username"}, 400)
+
    password_hash = hash_password(request_data["password"], iterations=HASH_ITERATIONS)

    User.insert(
@ -252,7 +256,7 @@ def create_user():

@AuthBp.route("/users/<username>", methods=["DELETE"])
 def delete_user(username: str):
-    User.delete_by_id(username).execute()
+    User.delete_by_id(username)
    return jsonify({"success": True})