Validate emoji name before saving

This commit is contained in:
silverpill 2023-01-20 18:47:26 +00:00
parent 99d45ee048
commit e3b51d0752
5 changed files with 48 additions and 7 deletions

View file

@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [Unreleased]
### Security
- Validate emoji name before saving.
## [1.10.0] - 2023-01-18
### Added

View file

@ -29,6 +29,11 @@ use crate::models::{
update_emoji,
},
emojis::types::EmojiImage,
emojis::validators::{
validate_emoji_name,
EMOJI_MAX_SIZE,
EMOJI_MEDIA_TYPES,
},
posts::{
hashtags::normalize_hashtag,
helpers::get_post_by_object_id,
@ -39,8 +44,6 @@ use crate::models::{
content_allowed_classes,
ATTACHMENTS_MAX_NUM,
CONTENT_MAX_SIZE,
EMOJI_MAX_SIZE,
EMOJI_MEDIA_TYPES,
EMOJIS_MAX_NUM,
},
},
@ -383,6 +386,10 @@ pub async fn handle_note(
continue;
};
let tag_name = tag.name.trim_matches(':');
if validate_emoji_name(tag_name).is_err() {
log::warn!("invalid emoji name");
continue;
};
let maybe_emoji_id = match get_emoji_by_remote_object_id(
db_client,
&tag.id,

View file

@ -1,2 +1,3 @@
pub mod queries;
pub mod types;
pub mod validators;

View file

@ -0,0 +1,34 @@
use regex::Regex;
use crate::errors::ValidationError;
const EMOJI_NAME_RE: &str = r"^[\w.]+$";
pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
"image/gif",
"image/png",
];
pub fn validate_emoji_name(emoji_name: &str) -> Result<(), ValidationError> {
let name_re = Regex::new(EMOJI_NAME_RE).unwrap();
if !name_re.is_match(emoji_name) {
return Err(ValidationError("invalid emoji name"));
};
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_validate_emoji_name() {
let valid_name = "emoji_name";
let result = validate_emoji_name(valid_name);
assert!(result.is_ok());
let invalid_name = "emoji\"<script>";
let result = validate_emoji_name(invalid_name);
assert!(result.is_err());
}
}

View file

@ -2,11 +2,6 @@ use crate::errors::ValidationError;
use crate::utils::html::clean_html_strict;
pub const ATTACHMENTS_MAX_NUM: usize = 15;
pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
"image/gif",
"image/png",
];
pub const EMOJIS_MAX_NUM: usize = 20;
pub const CONTENT_MAX_SIZE: usize = 100000;