Validate emoji name before saving

2023-01-20 18:47:26 +00:00 · 2023-01-20 18:47:26 +00:00 · e3b51d0752
parent 99d45ee048
commit e3b51d0752
5 changed files with 48 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

 ## [Unreleased]

+### Security
+
+- Validate emoji name before saving.
+
 ## [1.10.0] - 2023-01-18

 ### Added
--- a/src/activitypub/handlers/create.rs
+++ b/src/activitypub/handlers/create.rs
@ -29,6 +29,11 @@ use crate::models::{
        update_emoji,
    },
    emojis::types::EmojiImage,
+    emojis::validators::{
+        validate_emoji_name,
+        EMOJI_MAX_SIZE,
+        EMOJI_MEDIA_TYPES,
+    },
    posts::{
        hashtags::normalize_hashtag,
        helpers::get_post_by_object_id,
@ -39,8 +44,6 @@ use crate::models::{
            content_allowed_classes,
            ATTACHMENTS_MAX_NUM,
            CONTENT_MAX_SIZE,
-            EMOJI_MAX_SIZE,
-            EMOJI_MEDIA_TYPES,
            EMOJIS_MAX_NUM,
        },
    },
@ -383,6 +386,10 @@ pub async fn handle_note(
                    continue;
                };
                let tag_name = tag.name.trim_matches(':');
+                if validate_emoji_name(tag_name).is_err() {
+                    log::warn!("invalid emoji name");
+                    continue;
+                };
                let maybe_emoji_id = match get_emoji_by_remote_object_id(
                    db_client,
                    &tag.id,
--- a/src/models/emojis/mod.rs
+++ b/src/models/emojis/mod.rs
@ -1,2 +1,3 @@
 pub mod queries;
 pub mod types;
+pub mod validators;
--- a/src/models/emojis/validators.rs
+++ b/src/models/emojis/validators.rs
@ -0,0 +1,34 @@
+use regex::Regex;
+
+use crate::errors::ValidationError;
+
+const EMOJI_NAME_RE: &str = r"^[\w.]+$";
+pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
+pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
+    "image/gif",
+    "image/png",
+];
+
+pub fn validate_emoji_name(emoji_name: &str) -> Result<(), ValidationError> {
+    let name_re = Regex::new(EMOJI_NAME_RE).unwrap();
+    if !name_re.is_match(emoji_name) {
+        return Err(ValidationError("invalid emoji name"));
+    };
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_validate_emoji_name() {
+        let valid_name = "emoji_name";
+        let result = validate_emoji_name(valid_name);
+        assert!(result.is_ok());
+
+        let invalid_name = "emoji\"<script>";
+        let result = validate_emoji_name(invalid_name);
+        assert!(result.is_err());
+    }
+}
--- a/src/models/posts/validators.rs
+++ b/src/models/posts/validators.rs
@ -2,11 +2,6 @@ use crate::errors::ValidationError;
 use crate::utils::html::clean_html_strict;

 pub const ATTACHMENTS_MAX_NUM: usize = 15;
-pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
-pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
-    "image/gif",
-    "image/png",
-];
 pub const EMOJIS_MAX_NUM: usize = 20;

 pub const CONTENT_MAX_SIZE: usize = 100000;