Fixes possible vulnerabilities with keyword hijacking (#20)

LefsFlare · 0xBAADF00D · commit 3ef022b0713a · 2016-11-12T13:26:45.000+01:00
- Added public entries to reserved keywords list
- Rename variables
- Derped comment
diff --git a/models/user.go b/models/user.go
@@ -505,12 +505,12 @@ func NewGhostUser() *User {
 }
 
 var (
-	reversedUsernames    = []string{"debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
-	reversedUserPatterns = []string{"*.keys"}
+	reservedUsernames    = []string{"assets", "css", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
+	reservedUserPatterns = []string{"*.keys"}
 )
 
 // isUsableName checks if name is reserved or pattern of name is not allowed
-// based on given reversed names and patterns.
+// based on given reserved names and patterns.
 // Names are exact match, patterns can be prefix or suffix match with placeholder '*'.
 func isUsableName(names, patterns []string, name string) error {
 	name = strings.TrimSpace(strings.ToLower(name))
@@ -535,7 +535,7 @@ func isUsableName(names, patterns []string, name string) error {
 }
 
 func IsUsableUsername(name string) error {
-	return isUsableName(reversedUsernames, reversedUserPatterns, name)
+	return isUsableName(reservedUsernames, reservedUserPatterns, name)
 }
 
 // CreateUser creates record of a new user.

Original file line number	Diff line number	Diff line change
`@@ -505,12 +505,12 @@ func NewGhostUser() *User {`
`505`	`505`	`}`
`506`	`506`
`507`	`507`	`var (`
`508`		`- reversedUsernames = []string{"debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}`
`509`		`- reversedUserPatterns = []string{"*.keys"}`
	`508`	`+ reservedUsernames = []string{"assets", "css", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatar", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}`
	`509`	`+ reservedUserPatterns = []string{"*.keys"}`
`510`	`510`	`)`
`511`	`511`
`512`	`512`	`// isUsableName checks if name is reserved or pattern of name is not allowed`
`513`		`-// based on given reversed names and patterns.`
	`513`	`+// based on given reserved names and patterns.`
`514`	`514`	`// Names are exact match, patterns can be prefix or suffix match with placeholder '*'.`
`515`	`515`	`func isUsableName(names, patterns []string, name string) error {`
`516`	`516`	`name = strings.TrimSpace(strings.ToLower(name))`
`@@ -535,7 +535,7 @@ func isUsableName(names, patterns []string, name string) error {`
`535`	`535`	`}`
`536`	`536`
`537`	`537`	`func IsUsableUsername(name string) error {`
`538`		`- return isUsableName(reversedUsernames, reversedUserPatterns, name)`
	`538`	`+ return isUsableName(reservedUsernames, reservedUserPatterns, name)`
`539`	`539`	`}`
`540`	`540`
`541`	`541`	`// CreateUser creates record of a new user.`