Validate emoji name before saving
This commit is contained in:
parent
99d45ee048
commit
e3b51d0752
5 changed files with 48 additions and 7 deletions
|
@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
### Security
|
||||
|
||||
- Validate emoji name before saving.
|
||||
|
||||
## [1.10.0] - 2023-01-18
|
||||
|
||||
### Added
|
||||
|
|
|
@ -29,6 +29,11 @@ use crate::models::{
|
|||
update_emoji,
|
||||
},
|
||||
emojis::types::EmojiImage,
|
||||
emojis::validators::{
|
||||
validate_emoji_name,
|
||||
EMOJI_MAX_SIZE,
|
||||
EMOJI_MEDIA_TYPES,
|
||||
},
|
||||
posts::{
|
||||
hashtags::normalize_hashtag,
|
||||
helpers::get_post_by_object_id,
|
||||
|
@ -39,8 +44,6 @@ use crate::models::{
|
|||
content_allowed_classes,
|
||||
ATTACHMENTS_MAX_NUM,
|
||||
CONTENT_MAX_SIZE,
|
||||
EMOJI_MAX_SIZE,
|
||||
EMOJI_MEDIA_TYPES,
|
||||
EMOJIS_MAX_NUM,
|
||||
},
|
||||
},
|
||||
|
@ -383,6 +386,10 @@ pub async fn handle_note(
|
|||
continue;
|
||||
};
|
||||
let tag_name = tag.name.trim_matches(':');
|
||||
if validate_emoji_name(tag_name).is_err() {
|
||||
log::warn!("invalid emoji name");
|
||||
continue;
|
||||
};
|
||||
let maybe_emoji_id = match get_emoji_by_remote_object_id(
|
||||
db_client,
|
||||
&tag.id,
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
pub mod queries;
|
||||
pub mod types;
|
||||
pub mod validators;
|
||||
|
|
34
src/models/emojis/validators.rs
Normal file
34
src/models/emojis/validators.rs
Normal file
|
@ -0,0 +1,34 @@
|
|||
use regex::Regex;
|
||||
|
||||
use crate::errors::ValidationError;
|
||||
|
||||
const EMOJI_NAME_RE: &str = r"^[\w.]+$";
|
||||
pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
|
||||
pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
|
||||
"image/gif",
|
||||
"image/png",
|
||||
];
|
||||
|
||||
pub fn validate_emoji_name(emoji_name: &str) -> Result<(), ValidationError> {
|
||||
let name_re = Regex::new(EMOJI_NAME_RE).unwrap();
|
||||
if !name_re.is_match(emoji_name) {
|
||||
return Err(ValidationError("invalid emoji name"));
|
||||
};
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn test_validate_emoji_name() {
|
||||
let valid_name = "emoji_name";
|
||||
let result = validate_emoji_name(valid_name);
|
||||
assert!(result.is_ok());
|
||||
|
||||
let invalid_name = "emoji\"<script>";
|
||||
let result = validate_emoji_name(invalid_name);
|
||||
assert!(result.is_err());
|
||||
}
|
||||
}
|
|
@ -2,11 +2,6 @@ use crate::errors::ValidationError;
|
|||
use crate::utils::html::clean_html_strict;
|
||||
|
||||
pub const ATTACHMENTS_MAX_NUM: usize = 15;
|
||||
pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
|
||||
pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
|
||||
"image/gif",
|
||||
"image/png",
|
||||
];
|
||||
pub const EMOJIS_MAX_NUM: usize = 20;
|
||||
|
||||
pub const CONTENT_MAX_SIZE: usize = 100000;
|
||||
|
|
Loading…
Reference in a new issue