mirror of
https://github.com/LemmyNet/lemmy.git
synced 2024-11-26 07:52:13 +00:00
With this change only http(s) schemes are allowed for post.url field. This is checked for incoming api and federation requests. Existing posts in database which are sent to clients are not checked. Neither does it check urls in markdown.
This commit is contained in:
parent
c12fedaf1b
commit
00f9f79a44
|
@ -31,7 +31,7 @@ use lemmy_utils::{
|
||||||
error::LemmyError,
|
error::LemmyError,
|
||||||
utils::{
|
utils::{
|
||||||
slurs::{check_slurs, check_slurs_opt},
|
slurs::{check_slurs, check_slurs_opt},
|
||||||
validation::{clean_url_params, is_valid_body_field, is_valid_post_title},
|
validation::{check_url_scheme, clean_url_params, is_valid_body_field, is_valid_post_title},
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
use tracing::{warn, Instrument};
|
use tracing::{warn, Instrument};
|
||||||
|
@ -58,6 +58,7 @@ impl PerformCrud for CreatePost {
|
||||||
|
|
||||||
is_valid_post_title(&data.name)?;
|
is_valid_post_title(&data.name)?;
|
||||||
is_valid_body_field(&data.body, true)?;
|
is_valid_body_field(&data.body, true)?;
|
||||||
|
check_url_scheme(&data.url)?;
|
||||||
|
|
||||||
check_community_ban(local_user_view.person.id, data.community_id, context.pool()).await?;
|
check_community_ban(local_user_view.person.id, data.community_id, context.pool()).await?;
|
||||||
check_community_deleted_or_removed(data.community_id, context.pool()).await?;
|
check_community_deleted_or_removed(data.community_id, context.pool()).await?;
|
||||||
|
|
|
@ -20,7 +20,7 @@ use lemmy_utils::{
|
||||||
error::LemmyError,
|
error::LemmyError,
|
||||||
utils::{
|
utils::{
|
||||||
slurs::check_slurs_opt,
|
slurs::check_slurs_opt,
|
||||||
validation::{clean_url_params, is_valid_body_field, is_valid_post_title},
|
validation::{check_url_scheme, clean_url_params, is_valid_body_field, is_valid_post_title},
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -50,6 +50,7 @@ impl PerformCrud for EditPost {
|
||||||
}
|
}
|
||||||
|
|
||||||
is_valid_body_field(&data.body, true)?;
|
is_valid_body_field(&data.body, true)?;
|
||||||
|
check_url_scheme(&data.url)?;
|
||||||
|
|
||||||
let post_id = data.post_id;
|
let post_id = data.post_id;
|
||||||
let orig_post = Post::read(context.pool(), post_id).await?;
|
let orig_post = Post::read(context.pool(), post_id).await?;
|
||||||
|
|
|
@ -44,6 +44,7 @@ use lemmy_utils::{
|
||||||
markdown::markdown_to_html,
|
markdown::markdown_to_html,
|
||||||
slurs::{check_slurs_opt, remove_slurs},
|
slurs::{check_slurs_opt, remove_slurs},
|
||||||
time::convert_datetime,
|
time::convert_datetime,
|
||||||
|
validation::check_url_scheme,
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
use std::ops::Deref;
|
use std::ops::Deref;
|
||||||
|
@ -191,6 +192,7 @@ impl Object for ApubPost {
|
||||||
} else {
|
} else {
|
||||||
None
|
None
|
||||||
};
|
};
|
||||||
|
check_url_scheme(&url)?;
|
||||||
|
|
||||||
let local_site = LocalSite::read(context.pool()).await.ok();
|
let local_site = LocalSite::read(context.pool()).await.ok();
|
||||||
let allow_sensitive = local_site_opt_to_sensitive(&local_site);
|
let allow_sensitive = local_site_opt_to_sensitive(&local_site);
|
||||||
|
|
|
@ -302,12 +302,22 @@ pub fn check_site_visibility_valid(
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn check_url_scheme(url: &Option<Url>) -> LemmyResult<()> {
|
||||||
|
if let Some(url) = url {
|
||||||
|
if url.scheme() != "http" && url.scheme() != "https" {
|
||||||
|
return Err(LemmyError::from_message("invalid_url_scheme"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests {
|
mod tests {
|
||||||
use super::build_totp_2fa;
|
use super::build_totp_2fa;
|
||||||
use crate::utils::validation::{
|
use crate::utils::validation::{
|
||||||
build_and_check_regex,
|
build_and_check_regex,
|
||||||
check_site_visibility_valid,
|
check_site_visibility_valid,
|
||||||
|
check_url_scheme,
|
||||||
clean_url_params,
|
clean_url_params,
|
||||||
generate_totp_2fa_secret,
|
generate_totp_2fa_secret,
|
||||||
is_valid_actor_name,
|
is_valid_actor_name,
|
||||||
|
@ -519,4 +529,13 @@ mod tests {
|
||||||
assert!(check_site_visibility_valid(false, false, &Some(true), &None).is_ok());
|
assert!(check_site_visibility_valid(false, false, &Some(true), &None).is_ok());
|
||||||
assert!(check_site_visibility_valid(false, false, &None, &Some(true)).is_ok());
|
assert!(check_site_visibility_valid(false, false, &None, &Some(true)).is_ok());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_check_url_scheme() {
|
||||||
|
assert!(check_url_scheme(&None).is_ok());
|
||||||
|
assert!(check_url_scheme(&Some(Url::parse("http://example.com").unwrap())).is_ok());
|
||||||
|
assert!(check_url_scheme(&Some(Url::parse("https://example.com").unwrap())).is_ok());
|
||||||
|
assert!(check_url_scheme(&Some(Url::parse("ftp://example.com").unwrap())).is_err());
|
||||||
|
assert!(check_url_scheme(&Some(Url::parse("javascript:void").unwrap())).is_err());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue