fix: username and community title validation

2025-05-19 19:31:12 -04:00 · 2025-05-19 19:31:12 -04:00 · efb259764e
commit efb259764e
parent a4d7f44aa3
7 changed files with 79 additions and 25 deletions
--- a/crates/core/Cargo.toml
+++ b/crates/core/Cargo.toml
@ -34,3 +34,4 @@ tokio-postgres = { version = "0.7.13", optional = true }
 bb8-postgres = { version = "0.9.0", optional = true }
 base64 = "0.22.1"
 emojis = "0.6.4"
+regex = "1.11.1"
--- a/crates/core/src/database/auth.rs
+++ b/crates/core/src/database/auth.rs
@ -128,14 +128,15 @@ impl DataManager {
            return Err(Error::MiscError("This username cannot be used".to_string()));
        }

-        if data.username.contains(" ") {
-            return Err(Error::MiscError("Name cannot contain spaces".to_string()));
-        } else if data.username.contains("%") {
-            return Err(Error::MiscError("Name cannot contain \"%\"".to_string()));
-        } else if data.username.contains("?") {
-            return Err(Error::MiscError("Name cannot contain \"?\"".to_string()));
-        } else if data.username.contains("&") {
-            return Err(Error::MiscError("Name cannot contain \"&\"".to_string()));
+        let regex = regex::RegexBuilder::new(r"[^\w_\-\.!]+")
+            .multi_line(true)
+            .build()
+            .unwrap();
+
+        if regex.captures(&data.username).is_some() {
+            return Err(Error::MiscError(
+                "This username contains invalid characters".to_string(),
+            ));
        }

        // make sure username isn't taken
@ -436,6 +437,29 @@ impl DataManager {
    }

    pub async fn update_user_username(&self, id: usize, to: String, user: User) -> Result<()> {
+        // check value
+        if to.len() < 2 {
+            return Err(Error::DataTooShort("username".to_string()));
+        } else if to.len() > 32 {
+            return Err(Error::DataTooLong("username".to_string()));
+        }
+
+        if self.0.banned_usernames.contains(&to) {
+            return Err(Error::MiscError("This username cannot be used".to_string()));
+        }
+
+        let regex = regex::RegexBuilder::new(r"[^\w_\-\.!]+")
+            .multi_line(true)
+            .build()
+            .unwrap();
+
+        if regex.captures(&to).is_some() {
+            return Err(Error::MiscError(
+                "This username contains invalid characters".to_string(),
+            ));
+        }
+
+        // ...
        let conn = match self.connect().await {
            Ok(c) => c,
            Err(e) => return Err(Error::DatabaseConnection(e.to_string())),
--- a/crates/core/src/database/communities.rs
+++ b/crates/core/src/database/communities.rs
@ -209,16 +209,21 @@ impl DataManager {
            return Err(Error::DataTooLong("title".to_string()));
        }

-        if !data.title.is_ascii() | data.title.contains(" ") {
-            return Err(Error::MiscError(
-                "Title contains characters which aren't allowed".to_string(),
-            ));
-        }
-
        if self.0.banned_usernames.contains(&data.title) {
            return Err(Error::MiscError("This title cannot be used".to_string()));
        }

+        let regex = regex::RegexBuilder::new(r"[^\w_\-\.!]+")
+            .multi_line(true)
+            .build()
+            .unwrap();
+
+        if regex.captures(&data.title).is_some() {
+            return Err(Error::MiscError(
+                "This title contains invalid characters".to_string(),
+            ));
+        }
+
        // check number of communities
        let owner = self.get_user_by_id(data.owner).await?;

@ -382,6 +387,29 @@ impl DataManager {
    }

    pub async fn update_community_title(&self, id: usize, user: User, title: &str) -> Result<()> {
+        // check values
+        if title.len() < 2 {
+            return Err(Error::DataTooShort("title".to_string()));
+        } else if title.len() > 32 {
+            return Err(Error::DataTooLong("title".to_string()));
+        }
+
+        if self.0.banned_usernames.contains(&title.to_string()) {
+            return Err(Error::MiscError("This title cannot be used".to_string()));
+        }
+
+        let regex = regex::RegexBuilder::new(r"[^\w_\-\.!]+")
+            .multi_line(true)
+            .build()
+            .unwrap();
+
+        if regex.captures(&title).is_some() {
+            return Err(Error::MiscError(
+                "This title contains invalid characters".to_string(),
+            ));
+        }
+
+        // ...
        let y = self.get_community_by_id(id).await?;

        if user.id != y.owner {