diff options
3 files changed, 30 insertions, 5 deletions
diff --git a/juick-common/src/main/java/com/juick/server/CommandsManager.java b/juick-common/src/main/java/com/juick/server/CommandsManager.java index 82d293fe..ab55bba7 100644 --- a/juick-common/src/main/java/com/juick/server/CommandsManager.java +++ b/juick-common/src/main/java/com/juick/server/CommandsManager.java @@ -29,9 +29,9 @@ import com.juick.server.helpers.CommandResult; import com.juick.server.helpers.TagStats; import com.juick.server.helpers.annotation.UserCommand; import com.juick.server.util.HttpUtils; -import com.juick.server.util.ImageUtils; import com.juick.server.util.TagUtils; import com.juick.service.*; +import com.juick.util.MessageUtils; import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.math.NumberUtils; @@ -79,7 +79,8 @@ public class CommandsManager { private ImagesService imagesService; public CommandResult processCommand(User user, String data, @Nonnull URI attachment) throws Exception { - String input = StringUtils.stripStart(data, null); + String strippedData = StringUtils.stripStart(data, null); + String input = MessageUtils.stripNonSafeUrls(strippedData); Optional<Method> cmd = MethodUtils.getMethodsListWithAnnotation(getClass(), UserCommand.class).stream() .filter(m -> Pattern.compile(m.getAnnotation(UserCommand.class).pattern(), m.getAnnotation(UserCommand.class).patternFlags()).matcher(input).matches()) diff --git a/juick-common/src/main/java/com/juick/util/MessageUtils.java b/juick-common/src/main/java/com/juick/util/MessageUtils.java index bb7edfc3..932577cb 100644 --- a/juick-common/src/main/java/com/juick/util/MessageUtils.java +++ b/juick-common/src/main/java/com/juick/util/MessageUtils.java @@ -22,8 +22,10 @@ import com.juick.Tag; import com.juick.User; import org.apache.commons.codec.CharEncoding; import org.apache.commons.lang3.StringUtils; +import org.springframework.web.util.UriComponentsBuilder; import java.io.UnsupportedEncodingException; +import java.net.URI; import java.net.URLEncoder; import java.util.ArrayList; import java.util.List; @@ -55,7 +57,10 @@ public class MessageUtils { return result; } - private static Pattern regexLinks2 = Pattern.compile("((?<=\\s)|(?<=\\A))([\\[\\{]|<)((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\\"\\)\\!]+)/?(?:[^\\]\\}](?<!>))*)([\\]\\}]|>)"); + private final static String regexUrl = + "((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)"; + + private final static Pattern regexLinks2 = Pattern.compile("((?<=\\s)|(?<=\\A))([\\[\\{]|<)((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\\"\\)\\!]+)/?(?:[^\\]\\}](?<!>))*)([\\]\\}]|>)"); public static String formatMessageCode(String msg) { msg = msg.replaceAll("&", "&"); @@ -64,7 +69,7 @@ public class MessageUtils { // http://juick.com/last?page=2 // <a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a> - msg = msg.replaceAll("((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)", "$1<a href=\"$2\" rel=\"nofollow\">$2</a>"); + msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$2</a>"); // (http://juick.com/last?page=2) // (<a href="http://juick.com/last?page=2" rel="nofollow">http://juick.com/last?page=2</a>) @@ -91,7 +96,7 @@ public class MessageUtils { // http://juick.com/last?page=2 // <a href="http://juick.com/last?page=2" rel="nofollow">juick.com</a> - msg = msg.replaceAll("((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)", "$1<a href=\"$2\" rel=\"nofollow\">$3</a>"); + msg = msg.replaceAll(regexUrl, "$1<a href=\"$2\" rel=\"nofollow\">$3</a>"); // [link text][http://juick.com/last?page=2] // <a href="http://juick.com/last?page=2" rel="nofollow">link text</a> @@ -268,4 +273,18 @@ public class MessageUtils { public static boolean isReply(Message message) { return message.getRid() > 0; } + + public static String stripNonSafeUrls(String input) { + // strip login urls + Matcher urlMatcher = Pattern.compile(MessageUtils.regexUrl).matcher(input); + while (urlMatcher.find()) { + URI uri = URI.create(urlMatcher.group(0)); + if (uri.getHost().equals("juick.com")) { + UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUri(uri); + uriComponentsBuilder.replaceQueryParam("hash", StringUtils.EMPTY); + input = input.replace(urlMatcher.group(0), uriComponentsBuilder.build().toUriString()); + } + } + return input; + } } diff --git a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java index 70dfd175..3c12de40 100644 --- a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java +++ b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java @@ -797,6 +797,11 @@ public class ServerTests { result = commandsManager.processCommand(user, String.format("#%d *one *two *three *four *five *six", msg.getMid()), emptyUri); assertThat(result.getNewMessage(), is(Optional.empty())); assertThat(result.getText(), is("Tags are NOT updated (5 tags maximum?)")); + result = commandsManager.processCommand(user, "I'm very smart to post my login url there: " + + "https://juick.com/settings?hash=VTYZkKV8FWkmu6g1", emptyUri); + assertThat(result.getNewMessage().isPresent(), is(true)); + assertThat(result.getNewMessage().get().getText(), is("I'm very smart to post my login url there: " + + "https://juick.com/settings?hash=")); } @Test public void mailParserTest() throws Exception { |