From 52e2868debcb9aabcec0c7b7b459f9ed8efb7742 Mon Sep 17 00:00:00 2001 From: Nicolas Constant Date: Sat, 30 Jan 2021 01:28:20 -0500 Subject: [PATCH] ensure valide username pattern, fix #75 --- src/BirdsiteLive/Controllers/UsersController.cs | 10 +++++++++- src/BirdsiteLive/Controllers/WellKnownController.cs | 7 +++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/BirdsiteLive/Controllers/UsersController.cs b/src/BirdsiteLive/Controllers/UsersController.cs index d291c67..a22ae73 100644 --- a/src/BirdsiteLive/Controllers/UsersController.cs +++ b/src/BirdsiteLive/Controllers/UsersController.cs @@ -4,6 +4,7 @@ using System.IO; using System.Linq; using System.Net.Mime; using System.Runtime.InteropServices.WindowsRuntime; +using System.Text.RegularExpressions; using System.Threading; using System.Threading.Tasks; using BirdsiteLive.ActivityPub; @@ -12,6 +13,7 @@ using BirdsiteLive.Common.Settings; using BirdsiteLive.Domain; using BirdsiteLive.Models; using BirdsiteLive.Twitter; +using BirdsiteLive.Twitter.Models; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Primitives; @@ -26,6 +28,7 @@ namespace BirdsiteLive.Controllers private readonly IUserService _userService; private readonly IStatusService _statusService; private readonly InstanceSettings _instanceSettings; + private readonly Regex _twitterAccountRegex = new Regex(@"^[a-zA-Z0-9_]+$"); #region Ctor public UsersController(ITwitterUserService twitterUserService, IUserService userService, IStatusService statusService, InstanceSettings instanceSettings, ITwitterTweetsService twitterTweetService) @@ -55,7 +58,12 @@ namespace BirdsiteLive.Controllers public IActionResult Index(string id) { id = id.Trim(new[] { ' ', '@' }).ToLowerInvariant(); - var user = _twitterUserService.GetUser(id); + + // Ensure valid username + // https://help.twitter.com/en/managing-your-account/twitter-username-rules + TwitterUser user = null; + if (!string.IsNullOrWhiteSpace(id) && _twitterAccountRegex.IsMatch(id) && id.Length <= 15) + user = _twitterUserService.GetUser(id); var acceptHeaders = Request.Headers["Accept"]; if (acceptHeaders.Any()) diff --git a/src/BirdsiteLive/Controllers/WellKnownController.cs b/src/BirdsiteLive/Controllers/WellKnownController.cs index 553d8e7..3f060a7 100644 --- a/src/BirdsiteLive/Controllers/WellKnownController.cs +++ b/src/BirdsiteLive/Controllers/WellKnownController.cs @@ -1,6 +1,7 @@ using System; using System.Collections.Generic; using System.Linq; +using System.Text.RegularExpressions; using System.Threading.Tasks; using BirdsiteLive.ActivityPub.Converters; using BirdsiteLive.Common.Settings; @@ -19,6 +20,7 @@ namespace BirdsiteLive.Controllers private readonly ITwitterUserService _twitterUserService; private readonly ITwitterUserDal _twitterUserDal; private readonly InstanceSettings _settings; + private readonly Regex _twitterAccountRegex = new Regex(@"^[a-zA-Z0-9_]+$"); #region Ctor public WellKnownController(InstanceSettings settings, ITwitterUserService twitterUserService, ITwitterUserDal twitterUserDal) @@ -160,6 +162,11 @@ namespace BirdsiteLive.Controllers // Ensure lowercase name = name.ToLowerInvariant(); + // Ensure valid username + // https://help.twitter.com/en/managing-your-account/twitter-username-rules + if (string.IsNullOrWhiteSpace(name) || !_twitterAccountRegex.IsMatch(name) || name.Length > 15 ) + return NotFound(); + if (!string.IsNullOrWhiteSpace(domain) && domain != _settings.Domain) return NotFound();