From e3b51d07523a00588dafc8b040c69864b94b6781 Mon Sep 17 00:00:00 2001
From: silverpill <silverpill@firemail.cc>
Date: Fri, 20 Jan 2023 18:47:26 +0000
Subject: [PATCH] Validate emoji name before saving

---
 CHANGELOG.md                       |  4 ++++
 src/activitypub/handlers/create.rs | 11 ++++++++--
 src/models/emojis/mod.rs           |  1 +
 src/models/emojis/validators.rs    | 34 ++++++++++++++++++++++++++++++
 src/models/posts/validators.rs     |  5 -----
 5 files changed, 48 insertions(+), 7 deletions(-)
 create mode 100644 src/models/emojis/validators.rs

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5077595..7b11e64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Security
+
+- Validate emoji name before saving.
+
 ## [1.10.0] - 2023-01-18
 
 ### Added
diff --git a/src/activitypub/handlers/create.rs b/src/activitypub/handlers/create.rs
index 9679eeb..a03dae5 100644
--- a/src/activitypub/handlers/create.rs
+++ b/src/activitypub/handlers/create.rs
@@ -29,6 +29,11 @@ use crate::models::{
         update_emoji,
     },
     emojis::types::EmojiImage,
+    emojis::validators::{
+        validate_emoji_name,
+        EMOJI_MAX_SIZE,
+        EMOJI_MEDIA_TYPES,
+    },
     posts::{
         hashtags::normalize_hashtag,
         helpers::get_post_by_object_id,
@@ -39,8 +44,6 @@ use crate::models::{
             content_allowed_classes,
             ATTACHMENTS_MAX_NUM,
             CONTENT_MAX_SIZE,
-            EMOJI_MAX_SIZE,
-            EMOJI_MEDIA_TYPES,
             EMOJIS_MAX_NUM,
         },
     },
@@ -383,6 +386,10 @@ pub async fn handle_note(
                     continue;
                 };
                 let tag_name = tag.name.trim_matches(':');
+                if validate_emoji_name(tag_name).is_err() {
+                    log::warn!("invalid emoji name");
+                    continue;
+                };
                 let maybe_emoji_id = match get_emoji_by_remote_object_id(
                     db_client,
                     &tag.id,
diff --git a/src/models/emojis/mod.rs b/src/models/emojis/mod.rs
index 0333ab5..a35947b 100644
--- a/src/models/emojis/mod.rs
+++ b/src/models/emojis/mod.rs
@@ -1,2 +1,3 @@
 pub mod queries;
 pub mod types;
+pub mod validators;
diff --git a/src/models/emojis/validators.rs b/src/models/emojis/validators.rs
new file mode 100644
index 0000000..621b48c
--- /dev/null
+++ b/src/models/emojis/validators.rs
@@ -0,0 +1,34 @@
+use regex::Regex;
+
+use crate::errors::ValidationError;
+
+const EMOJI_NAME_RE: &str = r"^[\w.]+$";
+pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
+pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
+    "image/gif",
+    "image/png",
+];
+
+pub fn validate_emoji_name(emoji_name: &str) -> Result<(), ValidationError> {
+    let name_re = Regex::new(EMOJI_NAME_RE).unwrap();
+    if !name_re.is_match(emoji_name) {
+        return Err(ValidationError("invalid emoji name"));
+    };
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_validate_emoji_name() {
+        let valid_name = "emoji_name";
+        let result = validate_emoji_name(valid_name);
+        assert!(result.is_ok());
+
+        let invalid_name = "emoji\"<script>";
+        let result = validate_emoji_name(invalid_name);
+        assert!(result.is_err());
+    }
+}
diff --git a/src/models/posts/validators.rs b/src/models/posts/validators.rs
index 594b774..4464b53 100644
--- a/src/models/posts/validators.rs
+++ b/src/models/posts/validators.rs
@@ -2,11 +2,6 @@ use crate::errors::ValidationError;
 use crate::utils::html::clean_html_strict;
 
 pub const ATTACHMENTS_MAX_NUM: usize = 15;
-pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
-pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
-    "image/gif",
-    "image/png",
-];
 pub const EMOJIS_MAX_NUM: usize = 20;
 
 pub const CONTENT_MAX_SIZE: usize = 100000;