Browse Source

improve post format validation

main
ghost 1 year ago
parent
commit
df68a3aa91
  1. 7
      .env
  2. 1
      config/services.yaml
  3. 11
      src/Controller/RoomController.php

7
.env

@ -19,7 +19,7 @@ APP_ENV=dev @@ -19,7 +19,7 @@ APP_ENV=dev
APP_SECRET=EDIT_ME
###< symfony/framework-bundle ###
APP_VERSION=1.3.0
APP_VERSION=1.3.1
APP_NAME=KevaChat
@ -49,7 +49,7 @@ APP_KEVACOIN_EXPLORER_URL=https://keva.one/explorer/address/ @@ -49,7 +49,7 @@ APP_KEVACOIN_EXPLORER_URL=https://keva.one/explorer/address/
# Address to receive kevacoin powers (make others able to fill node balance)
APP_KEVACOIN_BOOST_ADDRESS=EDIT_ME
# Allowed room namespaces, separated with | (must be owned to accept posts)
# Pinned room namespaces, separated with |
APP_KEVACOIN_ROOM_NAMESPACES_PINNED=EDIT_ME
# Allowed room namespaces for read only (e.g. project news) separated with |
@ -76,5 +76,8 @@ APP_ADD_POST_REMOTE_IP_MODERATORS= @@ -76,5 +76,8 @@ APP_ADD_POST_REMOTE_IP_MODERATORS=
# Skip access limits for banned IPs separated by |
APP_ADD_POST_REMOTE_IP_DENIED=
# Post ID rules (for kevacoin key) do not change to keep external KevaChat nodes compatibility
APP_ADD_POST_KEY_REGEX=/^([\d]+)@([A-z0-9\.\:\[\]]+)$/
# Post content rules (for kevacoin value)
APP_ADD_POST_VALUE_REGEX=/^[\w\s\:\.\,\'\"\/\!\?\@\#\%\(\)\[\]\+\-\*\$\%]{2,3072}$/ui

1
config/services.yaml

@ -28,6 +28,7 @@ parameters: @@ -28,6 +28,7 @@ parameters:
app.add.post.remote.ip.delay: '%env(APP_ADD_POST_REMOTE_IP_DELAY)%'
app.add.post.remote.ip.moderators: '%env(APP_ADD_POST_REMOTE_IP_MODERATORS)%'
app.add.post.remote.ip.denied: '%env(APP_ADD_POST_REMOTE_IP_DENIED)%'
app.add.post.key.regex: '%env(APP_ADD_POST_KEY_REGEX)%'
app.add.post.value.regex: '%env(APP_ADD_POST_VALUE_REGEX)%'
services:

11
src/Controller/RoomController.php

@ -512,21 +512,30 @@ class RoomController extends AbstractController @@ -512,21 +512,30 @@ class RoomController extends AbstractController
private function _post(array $data): ?object
{
if (false === preg_match('/^([\d]+)@(.*)$/', $data['key'], $matches))
// Validate key format allowed in settings
if (false === preg_match((string) $this->getParameter('app.add.post.key.regex'), $data['key'], $matches))
{
return null;
}
// Timestamp required in key
if (empty($matches[1]))
{
return null;
}
// Username required in key
if (empty($matches[2]))
{
return null;
}
// Validate value format allowed in settings
if (false === preg_match((string) $this->getParameter('app.add.post.value.regex'), $data['value']))
{
return null;
}
return (object)
[
'id' => $data['txid'],

Loading…
Cancel
Save