improve post format validation

2025-03-13 05:51:23 +00:00 · 2023-12-09 19:51:30 +02:00 · 2023-12-09 19:51:30 +02:00 · df68a3aa91
commit df68a3aa91
parent 9acb021d0e
3 changed files with 16 additions and 3 deletions
--- a/.env
+++ b/.env
@ -19,7 +19,7 @@ APP_ENV=dev
 APP_SECRET=EDIT_ME
 ###< symfony/framework-bundle ###

-APP_VERSION=1.3.0
+APP_VERSION=1.3.1

 APP_NAME=KevaChat

@ -49,7 +49,7 @@ APP_KEVACOIN_EXPLORER_URL=https://keva.one/explorer/address/
 # Address to receive kevacoin powers (make others able to fill node balance)
 APP_KEVACOIN_BOOST_ADDRESS=EDIT_ME

-# Allowed room namespaces, separated with | (must be owned to accept posts)
+# Pinned room namespaces, separated with |
 APP_KEVACOIN_ROOM_NAMESPACES_PINNED=EDIT_ME

 # Allowed room namespaces for read only (e.g. project news) separated with |
@ -76,5 +76,8 @@ APP_ADD_POST_REMOTE_IP_MODERATORS=
 # Skip access limits for banned IPs separated by |
 APP_ADD_POST_REMOTE_IP_DENIED=

+# Post ID rules (for kevacoin key) do not change to keep external KevaChat nodes compatibility
+APP_ADD_POST_KEY_REGEX=/^([\d]+)@([A-z0-9\.\:\[\]]+)$/
+
 # Post content rules (for kevacoin value)
 APP_ADD_POST_VALUE_REGEX=/^[\w\s\:\.\,\'\"\/\!\?\@\#\%\(\)\[\]\+\-\*\$\%]{2,3072}$/ui
--- a/config/services.yaml
+++ b/config/services.yaml
@ -28,6 +28,7 @@ parameters:
    app.add.post.remote.ip.delay: '%env(APP_ADD_POST_REMOTE_IP_DELAY)%'
    app.add.post.remote.ip.moderators: '%env(APP_ADD_POST_REMOTE_IP_MODERATORS)%'
    app.add.post.remote.ip.denied: '%env(APP_ADD_POST_REMOTE_IP_DENIED)%'
+    app.add.post.key.regex: '%env(APP_ADD_POST_KEY_REGEX)%'
    app.add.post.value.regex: '%env(APP_ADD_POST_VALUE_REGEX)%'

 services:
--- a/src/Controller/RoomController.php
+++ b/src/Controller/RoomController.php
@ -512,21 +512,30 @@ class RoomController extends AbstractController

    private function _post(array $data): ?object
    {
-        if (false === preg_match('/^([\d]+)@(.*)$/', $data['key'], $matches))
+        // Validate key format allowed in settings
+        if (false === preg_match((string) $this->getParameter('app.add.post.key.regex'), $data['key'], $matches))
        {
            return null;
        }

+        // Timestamp required in key
        if (empty($matches[1]))
        {
            return null;
        }

+        // Username required in key
        if (empty($matches[2]))
        {
            return null;
        }

+        // Validate value format allowed in settings
+        if (false === preg_match((string) $this->getParameter('app.add.post.value.regex'), $data['value']))
+        {
+            return null;
+        }
+
        return (object)
        [
            'id'      => $data['txid'],