aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Vitaly Takmazov2018-05-08 21:46:36 +0300
committerGravatar Vitaly Takmazov2018-05-08 21:46:36 +0300
commitf9f4115b7baeb9a73b63ecda3397994961071373 (patch)
treedebde6ef9a819f11677cbb6966c22ec755232529
parent67c5a5eedcd1bf68ade678935392eace59af1c37 (diff)
common: strip login urls from input
-rw-r--r--juick-common/src/main/java/com/juick/server/CommandsManager.java5
-rw-r--r--juick-common/src/main/java/com/juick/util/MessageUtils.java25
-rw-r--r--juick-server/src/test/java/com/juick/server/tests/ServerTests.java5
3 files changed, 30 insertions, 5 deletions
diff --git a/juick-common/src/main/java/com/juick/server/CommandsManager.java b/juick-common/src/main/java/com/juick/server/CommandsManager.java
index 82d293fe..ab55bba7 100644
--- a/juick-common/src/main/java/com/juick/server/CommandsManager.java
+++ b/juick-common/src/main/java/com/juick/server/CommandsManager.java
@@ -29,9 +29,9 @@ import com.juick.server.helpers.CommandResult;
import com.juick.server.helpers.TagStats;
import com.juick.server.helpers.annotation.UserCommand;
import com.juick.server.util.HttpUtils;
-import com.juick.server.util.ImageUtils;
import com.juick.server.util.TagUtils;
import com.juick.service.*;
+import com.juick.util.MessageUtils;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.math.NumberUtils;
@@ -79,7 +79,8 @@ public class CommandsManager {
private ImagesService imagesService;
public CommandResult processCommand(User user, String data, @Nonnull URI attachment) throws Exception {
- String input = StringUtils.stripStart(data, null);
+ String strippedData = StringUtils.stripStart(data, null);
+ String input = MessageUtils.stripNonSafeUrls(strippedData);
Optional<Method> cmd = MethodUtils.getMethodsListWithAnnotation(getClass(), UserCommand.class).stream()
.filter(m -> Pattern.compile(m.getAnnotation(UserCommand.class).pattern(),
m.getAnnotation(UserCommand.class).patternFlags()).matcher(input).matches())
diff --git a/juick-common/src/main/java/com/juick/util/MessageUtils.java b/juick-common/src/main/java/com/juick/util/MessageUtils.java
index bb7edfc3..932577cb 100644
--- a/juick-common/src/main/java/com/juick/util/MessageUtils.java
+++ b/juick-common/src/main/java/com/juick/util/MessageUtils.java
@@ -22,8 +22,10 @@ import com.juick.Tag;
import com.juick.User;
import org.apache.commons.codec.CharEncoding;
import org.apache.commons.lang3.StringUtils;
+import org.springframework.web.util.UriComponentsBuilder;
import java.io.UnsupportedEncodingException;
+import java.net.URI;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.List;
@@ -55,7 +57,10 @@ public class MessageUtils {
return result;
}
- private static Pattern regexLinks2 = Pattern.compile("((?<=\\s)|(?<=\\A))([\\[\\{]|&lt;)((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\\"\\)\\!]+)/?(?:[^\\]\\}](?<!&gt;))*)([\\]\\}]|&gt;)");
+ private final static String regexUrl =
+ "((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)";
+
+ private final static Pattern regexLinks2 = Pattern.compile("((?<=\\s)|(?<=\\A))([\\[\\{]|&lt;)((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\\"\\)\\!]+)/?(?:[^\\]\\}](?<!&gt;))*)([\\]\\}]|&gt;)");
public static String formatMessageCode(String msg) {
msg = msg.replaceAll("&", "&amp;");
@@ -64,7 +69,7 @@ public class MessageUtils {
// http://juick.com/last?page=2
// <a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a>
- msg = msg.replaceAll("((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)", "$1<a href=\"$2\" rel=\"nofollow\">$2</a>");
+ msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$2</a>");
// (http://juick.com/last?page=2)
// (<a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a>)
@@ -91,7 +96,7 @@ public class MessageUtils {
// http://juick.com/last?page=2
// <a href="http://juick.com/last?page=2" rel="nofollow">juick.com</a>
- msg = msg.replaceAll("((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)", "$1<a href=\"$2\" rel=\"nofollow\">$3</a>");
+ msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$3</a>");
// [link text][http://juick.com/last?page=2]
// <a href="http://juick.com/last?page=2" rel="nofollow">link text</a>
@@ -268,4 +273,18 @@ public class MessageUtils {
public static boolean isReply(Message message) {
return message.getRid() > 0;
}
+
+ public static String stripNonSafeUrls(String input) {
+ // strip login urls
+ Matcher urlMatcher = Pattern.compile(MessageUtils.regexUrl).matcher(input);
+ while (urlMatcher.find()) {
+ URI uri = URI.create(urlMatcher.group(0));
+ if (uri.getHost().equals("juick.com")) {
+ UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUri(uri);
+ uriComponentsBuilder.replaceQueryParam("hash", StringUtils.EMPTY);
+ input = input.replace(urlMatcher.group(0), uriComponentsBuilder.build().toUriString());
+ }
+ }
+ return input;
+ }
}
diff --git a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
index 70dfd175..3c12de40 100644
--- a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
+++ b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
@@ -797,6 +797,11 @@ public class ServerTests {
result = commandsManager.processCommand(user, String.format("#%d *one *two *three *four *five *six", msg.getMid()), emptyUri);
assertThat(result.getNewMessage(), is(Optional.empty()));
assertThat(result.getText(), is("Tags are NOT updated (5 tags maximum?)"));
+ result = commandsManager.processCommand(user, "I'm very smart to post my login url there: " +
+ "https://juick.com/settings?hash=VTYZkKV8FWkmu6g1", emptyUri);
+ assertThat(result.getNewMessage().isPresent(), is(true));
+ assertThat(result.getNewMessage().get().getText(), is("I'm very smart to post my login url there: " +
+ "https://juick.com/settings?hash="));
}
@Test
public void mailParserTest() throws Exception {