From f22f61ac662cd9f4ce94ee4b8bba08443fcd957f Mon Sep 17 00:00:00 2001
From: DDDHuang <44492639+DDDHuang@users.noreply.github.com>
Date: Thu, 10 Mar 2022 09:58:42 +0800
Subject: [PATCH] fix: users api, create illegal char username

---
 apps/emqx_dashboard/src/emqx_dashboard_admin.erl | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/apps/emqx_dashboard/src/emqx_dashboard_admin.erl b/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
index 158c42e6e..140622c67 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
@@ -70,7 +70,19 @@ mnesia(boot) ->
 -spec(add_user(binary(), binary(), binary()) -> {ok, map()} | {error, any()}).
 add_user(Username, Password, Desc)
   when is_binary(Username), is_binary(Password) ->
-    return(mria:transaction(?DASHBOARD_SHARD, fun add_user_/3, [Username, Password, Desc])).
+    case legal_username(Username) of
+        true ->
+            return(
+                mria:transaction(?DASHBOARD_SHARD, fun add_user_/3, [Username, Password, Desc]));
+        false ->
+            {error, <<"Bad Username."
+                    " Only upper and lower case letters, numbers and underscores are supported">>}
+    end.
+
+%% 0 - 9 or A -Z or a - z or $_
+legal_username(<<>>) -> false;
+legal_username(UserName) ->
+    nomatch /= re:run(UserName, "^[_a-zA-Z0-9]*$").
 
 %% black-magic: force overwrite a user
 force_add_user(Username, Password, Desc) ->