From df68a3aa912192a1c982858af47c3114ceb8dbfc Mon Sep 17 00:00:00 2001 From: ghost Date: Sat, 9 Dec 2023 19:51:30 +0200 Subject: [PATCH] improve post format validation --- .env | 7 +++++-- config/services.yaml | 1 + src/Controller/RoomController.php | 11 ++++++++++- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.env b/.env index 93b084e..15ed30f 100644 --- a/.env +++ b/.env @@ -19,7 +19,7 @@ APP_ENV=dev APP_SECRET=EDIT_ME ###< symfony/framework-bundle ### -APP_VERSION=1.3.0 +APP_VERSION=1.3.1 APP_NAME=KevaChat @@ -49,7 +49,7 @@ APP_KEVACOIN_EXPLORER_URL=https://keva.one/explorer/address/ # Address to receive kevacoin powers (make others able to fill node balance) APP_KEVACOIN_BOOST_ADDRESS=EDIT_ME -# Allowed room namespaces, separated with | (must be owned to accept posts) +# Pinned room namespaces, separated with | APP_KEVACOIN_ROOM_NAMESPACES_PINNED=EDIT_ME # Allowed room namespaces for read only (e.g. project news) separated with | @@ -76,5 +76,8 @@ APP_ADD_POST_REMOTE_IP_MODERATORS= # Skip access limits for banned IPs separated by | APP_ADD_POST_REMOTE_IP_DENIED= +# Post ID rules (for kevacoin key) do not change to keep external KevaChat nodes compatibility +APP_ADD_POST_KEY_REGEX=/^([\d]+)@([A-z0-9\.\:\[\]]+)$/ + # Post content rules (for kevacoin value) APP_ADD_POST_VALUE_REGEX=/^[\w\s\:\.\,\'\"\/\!\?\@\#\%\(\)\[\]\+\-\*\$\%]{2,3072}$/ui \ No newline at end of file diff --git a/config/services.yaml b/config/services.yaml index fb38fa0..edaf413 100644 --- a/config/services.yaml +++ b/config/services.yaml @@ -28,6 +28,7 @@ parameters: app.add.post.remote.ip.delay: '%env(APP_ADD_POST_REMOTE_IP_DELAY)%' app.add.post.remote.ip.moderators: '%env(APP_ADD_POST_REMOTE_IP_MODERATORS)%' app.add.post.remote.ip.denied: '%env(APP_ADD_POST_REMOTE_IP_DENIED)%' + app.add.post.key.regex: '%env(APP_ADD_POST_KEY_REGEX)%' app.add.post.value.regex: '%env(APP_ADD_POST_VALUE_REGEX)%' services: diff --git a/src/Controller/RoomController.php b/src/Controller/RoomController.php index 6d63631..04f92d3 100644 --- a/src/Controller/RoomController.php +++ b/src/Controller/RoomController.php @@ -512,21 +512,30 @@ class RoomController extends AbstractController private function _post(array $data): ?object { - if (false === preg_match('/^([\d]+)@(.*)$/', $data['key'], $matches)) + // Validate key format allowed in settings + if (false === preg_match((string) $this->getParameter('app.add.post.key.regex'), $data['key'], $matches)) { return null; } + // Timestamp required in key if (empty($matches[1])) { return null; } + // Username required in key if (empty($matches[2])) { return null; } + // Validate value format allowed in settings + if (false === preg_match((string) $this->getParameter('app.add.post.value.regex'), $data['value'])) + { + return null; + } + return (object) [ 'id' => $data['txid'],