From ed71d24fe9bb66244474c87959c07dd422baeb14 Mon Sep 17 00:00:00 2001 From: Trinity Pointard Date: Sun, 2 Dec 2018 19:07:36 +0100 Subject: [PATCH] Verify remote user name and media url --- plume-models/src/medias.rs | 32 ++++++++++++++++++-------------- plume-models/src/users.rs | 23 +++++++++++++++-------- 2 files changed, 33 insertions(+), 22 deletions(-) diff --git a/plume-models/src/medias.rs b/plume-models/src/medias.rs index 64f38bc..2c906f7 100644 --- a/plume-models/src/medias.rs +++ b/plume-models/src/medias.rs @@ -131,19 +131,23 @@ impl Media { .expect("Media::delete: database entry deletion error"); } - pub fn save_remote(conn: &Connection, url: String, user: &User) -> Media { - Media::insert( - conn, - NewMedia { - file_path: String::new(), - alt_text: String::new(), - is_remote: true, - remote_url: Some(url), - sensitive: false, - content_warning: None, - owner_id: user.id, - }, - ) + pub fn save_remote(conn: &Connection, url: String, user: &User) -> Result { + if url.contains(&['<', '>', '"'][..]) { + Err(()) + } else { + Ok(Media::insert( + conn, + NewMedia { + file_path: String::new(), + alt_text: String::new(), + is_remote: true, + remote_url: Some(url), + sensitive: false, + content_warning: None, + owner_id: user.id, + }, + )) + } } pub fn set_owner(&self, conn: &Connection, user: &User) { @@ -177,7 +181,7 @@ impl Media { NewMedia { file_path: path.to_str()?.to_string(), alt_text: image.object_props.content_string().ok()?, - is_remote: true, + is_remote: false, remote_url: None, sensitive: image.object_props.summary_string().is_ok(), content_warning: image.object_props.summary_string().ok(), diff --git a/plume-models/src/users.rs b/plume-models/src/users.rs index 11c077b..0b9ddf7 100644 --- a/plume-models/src/users.rs +++ b/plume-models/src/users.rs @@ -267,7 +267,7 @@ impl User { } pub fn fetch_from_url(conn: &Connection, url: &str) -> Option { - User::fetch(url).map(|json| { + User::fetch(url).and_then(|json| { (User::from_activity( conn, &json, @@ -275,11 +275,11 @@ impl User { .expect("User::fetch_from_url: url error") .host_str() .expect("User::fetch_from_url: host error"), - )) + ).ok()) }) } - fn from_activity(conn: &Connection, acct: &CustomPerson, inst: &str) -> User { + fn from_activity(conn: &Connection, acct: &CustomPerson, inst: &str) -> Result { let instance = match Instance::find_by_domain(conn, inst) { Some(instance) => instance, None => { @@ -301,6 +301,11 @@ impl User { } }; + if acct.object.ap_actor_props.preferred_username_string() + .expect("User::from_activity: preferredUsername error") + .contains(&['<', '>', '&', '@', '\'', '"'][..]) { + return Err(()); + } let user = User::insert( conn, NewUser { @@ -308,7 +313,7 @@ impl User { .object .ap_actor_props .preferred_username_string() - .expect("User::from_activity: preferredUsername error"), + .unwrap(), display_name: acct .object .object_props @@ -374,9 +379,11 @@ impl User { &user, ); - user.set_avatar(conn, avatar.id); + if let Ok(avatar) = avatar { + user.set_avatar(conn, avatar.id); + } - user + Ok(user) } pub fn refetch(&self, conn: &Connection) { @@ -391,7 +398,7 @@ impl User { .url_string() .expect("User::refetch: icon.url error"), &self, - ); + ).ok(); diesel::update(self) .set(( @@ -427,7 +434,7 @@ impl User { .ap_actor_props .followers_string() .expect("User::refetch: followers error")), - users::avatar_id.eq(Some(avatar.id)), + users::avatar_id.eq(avatar.map(|a| a.id)), users::last_fetched_date.eq(Utc::now().naive_utc()), )) .execute(conn)