Browse Source

improve post format validation

main
ghost 12 months ago
parent
commit
df68a3aa91
  1. 7
      .env
  2. 1
      config/services.yaml
  3. 11
      src/Controller/RoomController.php

7
.env

@ -19,7 +19,7 @@ APP_ENV=dev
APP_SECRET=EDIT_ME APP_SECRET=EDIT_ME
###< symfony/framework-bundle ### ###< symfony/framework-bundle ###
APP_VERSION=1.3.0 APP_VERSION=1.3.1
APP_NAME=KevaChat APP_NAME=KevaChat
@ -49,7 +49,7 @@ APP_KEVACOIN_EXPLORER_URL=https://keva.one/explorer/address/
# Address to receive kevacoin powers (make others able to fill node balance) # Address to receive kevacoin powers (make others able to fill node balance)
APP_KEVACOIN_BOOST_ADDRESS=EDIT_ME APP_KEVACOIN_BOOST_ADDRESS=EDIT_ME
# Allowed room namespaces, separated with | (must be owned to accept posts) # Pinned room namespaces, separated with |
APP_KEVACOIN_ROOM_NAMESPACES_PINNED=EDIT_ME APP_KEVACOIN_ROOM_NAMESPACES_PINNED=EDIT_ME
# Allowed room namespaces for read only (e.g. project news) separated with | # Allowed room namespaces for read only (e.g. project news) separated with |
@ -76,5 +76,8 @@ APP_ADD_POST_REMOTE_IP_MODERATORS=
# Skip access limits for banned IPs separated by | # Skip access limits for banned IPs separated by |
APP_ADD_POST_REMOTE_IP_DENIED= APP_ADD_POST_REMOTE_IP_DENIED=
# Post ID rules (for kevacoin key) do not change to keep external KevaChat nodes compatibility
APP_ADD_POST_KEY_REGEX=/^([\d]+)@([A-z0-9\.\:\[\]]+)$/
# Post content rules (for kevacoin value) # Post content rules (for kevacoin value)
APP_ADD_POST_VALUE_REGEX=/^[\w\s\:\.\,\'\"\/\!\?\@\#\%\(\)\[\]\+\-\*\$\%]{2,3072}$/ui APP_ADD_POST_VALUE_REGEX=/^[\w\s\:\.\,\'\"\/\!\?\@\#\%\(\)\[\]\+\-\*\$\%]{2,3072}$/ui

1
config/services.yaml

@ -28,6 +28,7 @@ parameters:
app.add.post.remote.ip.delay: '%env(APP_ADD_POST_REMOTE_IP_DELAY)%' app.add.post.remote.ip.delay: '%env(APP_ADD_POST_REMOTE_IP_DELAY)%'
app.add.post.remote.ip.moderators: '%env(APP_ADD_POST_REMOTE_IP_MODERATORS)%' app.add.post.remote.ip.moderators: '%env(APP_ADD_POST_REMOTE_IP_MODERATORS)%'
app.add.post.remote.ip.denied: '%env(APP_ADD_POST_REMOTE_IP_DENIED)%' app.add.post.remote.ip.denied: '%env(APP_ADD_POST_REMOTE_IP_DENIED)%'
app.add.post.key.regex: '%env(APP_ADD_POST_KEY_REGEX)%'
app.add.post.value.regex: '%env(APP_ADD_POST_VALUE_REGEX)%' app.add.post.value.regex: '%env(APP_ADD_POST_VALUE_REGEX)%'
services: services:

11
src/Controller/RoomController.php

@ -512,21 +512,30 @@ class RoomController extends AbstractController
private function _post(array $data): ?object private function _post(array $data): ?object
{ {
if (false === preg_match('/^([\d]+)@(.*)$/', $data['key'], $matches)) // Validate key format allowed in settings
if (false === preg_match((string) $this->getParameter('app.add.post.key.regex'), $data['key'], $matches))
{ {
return null; return null;
} }
// Timestamp required in key
if (empty($matches[1])) if (empty($matches[1]))
{ {
return null; return null;
} }
// Username required in key
if (empty($matches[2])) if (empty($matches[2]))
{ {
return null; return null;
} }
// Validate value format allowed in settings
if (false === preg_match((string) $this->getParameter('app.add.post.value.regex'), $data['value']))
{
return null;
}
return (object) return (object)
[ [
'id' => $data['txid'], 'id' => $data['txid'],

Loading…
Cancel
Save