more domain validation

src/config.rs

@@ -26,6 +26,8 @@ use bytes::Bytes;
 use derive_builder::Builder;
 use dyn_clone::{clone_trait_object, DynClone};
 use moka::future::Cache;
+use once_cell::sync::Lazy;
+use regex::Regex;
 use reqwest::Request;
 use reqwest_middleware::{ClientWithMiddleware, RequestBuilder};
 use rsa::{pkcs8::DecodePrivateKey, RsaPrivateKey};
@@ -107,6 +109,9 @@ pub struct FederationConfig<T: Clone> {
     pub(crate) queue_retry_count: usize,
 }
 
+pub(crate) static DOMAIN_REGEX: Lazy<Regex> =
+    Lazy::new(|| Regex::new(r"^[a-zA-Z0-9.-]*$").expect("compile regex"));
+
 impl<T: Clone> FederationConfig<T> {
     /// Returns a new config builder with default values.
     pub fn builder() -> FederationConfigBuilder<T> {
@@ -164,6 +169,9 @@ impl<T: Clone> FederationConfig<T> {
         let Some(domain) = url.domain() else {
             return Err(Error::UrlVerificationError("Url must have a domain"));
         };
+        if !DOMAIN_REGEX.is_match(domain) {
+            return Err(Error::UrlVerificationError("Invalid characters in domain").into());
+        }
 
         // Extra checks only for production mode
         if !self.debug {

src/fetch/webfinger.rs

@@ -1,5 +1,5 @@
 use crate::{
-    config::Data,
+    config::{Data, DOMAIN_REGEX},
     error::Error,
     fetch::{fetch_object_http_with_accept, object_id::ObjectId},
     traits::{Actor, Object},
@@ -53,9 +53,6 @@ where
     for<'de2> <Kind as Object>::Kind: serde::Deserialize<'de2>,
     <Kind as Object>::Error: From<crate::error::Error> + Send + Sync + Display,
 {
-    static DOMAIN_REGEX: Lazy<Regex> =
-        Lazy::new(|| Regex::new(r"^[a-zA-Z0-9.-]*$").expect("compile regex"));
-
     let (_, domain) = identifier
         .splitn(2, '@')
         .collect_tuple()