FediMovies/fedimovies
1
1
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Activity

Validate emoji name before saving

Browse source
This commit is contained in:
silverpill 2023-01-20 18:47:26 +00:00
parent 99d45ee048
commit e3b51d0752
5 changed files with 48 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [Unreleased] ## [Unreleased]
### Security
- Validate emoji name before saving.
## [1.10.0] - 2023-01-18 ## [1.10.0] - 2023-01-18
### Added ### Added

11
src/activitypub/handlers/create.rs
View file

@ -29,6 +29,11 @@ use crate::models::{
update_emoji, update_emoji,
}, },
emojis::types::EmojiImage, emojis::types::EmojiImage,
emojis::validators::{
validate_emoji_name,
EMOJI_MAX_SIZE,
EMOJI_MEDIA_TYPES,
},
posts::{ posts::{
hashtags::normalize_hashtag, hashtags::normalize_hashtag,
helpers::get_post_by_object_id, helpers::get_post_by_object_id,
@ -39,8 +44,6 @@ use crate::models::{
content_allowed_classes, content_allowed_classes,
ATTACHMENTS_MAX_NUM, ATTACHMENTS_MAX_NUM,
CONTENT_MAX_SIZE, CONTENT_MAX_SIZE,
EMOJI_MAX_SIZE,
EMOJI_MEDIA_TYPES,
EMOJIS_MAX_NUM, EMOJIS_MAX_NUM,
}, },
}, },
@ -383,6 +386,10 @@ pub async fn handle_note(
continue; continue;
}; };
let tag_name = tag.name.trim_matches(':'); let tag_name = tag.name.trim_matches(':');
if validate_emoji_name(tag_name).is_err() {
log::warn!("invalid emoji name");
continue;
};
let maybe_emoji_id = match get_emoji_by_remote_object_id( let maybe_emoji_id = match get_emoji_by_remote_object_id(
db_client, db_client,
&tag.id, &tag.id,

1
src/models/emojis/mod.rs
View file

@ -1,2 +1,3 @@
pub mod queries; pub mod queries;
pub mod types; pub mod types;
pub mod validators;

34
src/models/emojis/validators.rs Normal file
View file

@ -0,0 +1,34 @@
use regex::Regex;
use crate::errors::ValidationError;
const EMOJI_NAME_RE: &str = r"^[\w.]+$";
pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
"image/gif",
"image/png",
];
pub fn validate_emoji_name(emoji_name: &str) -> Result<(), ValidationError> {
let name_re = Regex::new(EMOJI_NAME_RE).unwrap();
if !name_re.is_match(emoji_name) {
return Err(ValidationError("invalid emoji name"));
};
Ok(())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_validate_emoji_name() {
let valid_name = "emoji_name";
let result = validate_emoji_name(valid_name);
assert!(result.is_ok());
let invalid_name = "emoji\"<script>";
let result = validate_emoji_name(invalid_name);
assert!(result.is_err());
}
}

5
src/models/posts/validators.rs
View file

@ -2,11 +2,6 @@ use crate::errors::ValidationError;
use crate::utils::html::clean_html_strict; use crate::utils::html::clean_html_strict;
pub const ATTACHMENTS_MAX_NUM: usize = 15; pub const ATTACHMENTS_MAX_NUM: usize = 15;
pub const EMOJI_MAX_SIZE: usize = 250 * 1000; // 250 kB
pub const EMOJI_MEDIA_TYPES: [&str; 2] = [
"image/gif",
"image/png",
];
pub const EMOJIS_MAX_NUM: usize = 20; pub const EMOJIS_MAX_NUM: usize = 20;
pub const CONTENT_MAX_SIZE: usize = 100000; pub const CONTENT_MAX_SIZE: usize = 100000;