From c3f5d83b7beed8a523b8a851df742ef028de5efd Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Thu, 17 May 2018 22:26:14 +0300
Subject: fix unsafe urls stripping
---
.../src/main/java/com/juick/util/MessageUtils.java | 14 +++++++++-----
.../src/test/java/com/juick/server/tests/ServerTests.java | 7 +++----
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/juick-common/src/main/java/com/juick/util/MessageUtils.java b/juick-common/src/main/java/com/juick/util/MessageUtils.java
index 5a4b05ca..c9796809 100644
--- a/juick-common/src/main/java/com/juick/util/MessageUtils.java
+++ b/juick-common/src/main/java/com/juick/util/MessageUtils.java
@@ -57,8 +57,12 @@ public class MessageUtils {
return result;
}
- private final static String regexUrl =
- "((?<=\\s)|(?<=\\A))((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"]*)";
+ private final static String urlWhiteSpacePrefix = "((?<=\\s)|(?<=\\A))";
+
+ private final static String urlRegex = "((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\n\\\"]+)/?[^\\s\\n\\\"\\>]*)";
+
+ private final static String urlWithWhitespacesRegex =
+ urlWhiteSpacePrefix + urlRegex;
private final static Pattern regexLinks2 = Pattern.compile("((?<=\\s)|(?<=\\A))([\\[\\{]|<)((?:ht|f)tps?://(?:www\\.)?([^\\/\\s\\\"\\)\\!]+)/?(?:[^\\]\\}](?http://juick.com/last?page=2
- msg = msg.replaceAll(regexUrl, "$1$2");
+ msg = msg.replaceAll(urlWithWhitespacesRegex, "$1$2");
// (http://juick.com/last?page=2)
// (http://juick.com/last?page=2)
@@ -96,7 +100,7 @@ public class MessageUtils {
// http://juick.com/last?page=2
// juick.com
- msg = msg.replaceAll(regexUrl, "$1$3");
+ msg = msg.replaceAll(urlWithWhitespacesRegex, "$1$3");
// [link text][http://juick.com/last?page=2]
// link text
@@ -276,7 +280,7 @@ public class MessageUtils {
public static String stripNonSafeUrls(String input) {
// strip login urls
- Matcher urlMatcher = Pattern.compile(MessageUtils.regexUrl).matcher(input);
+ Matcher urlMatcher = Pattern.compile(MessageUtils.urlRegex).matcher(input);
while (urlMatcher.find()) {
URI uri = URI.create(urlMatcher.group(0));
if (uri.getHost().equals("juick.com")) {
diff --git a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
index be81212b..177ced5e 100644
--- a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
+++ b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java
@@ -797,11 +797,10 @@ public class ServerTests {
result = commandsManager.processCommand(user, String.format("#%d *one *two *three *four *five *six", msg.getMid()), emptyUri);
assertThat(result.getNewMessage(), is(Optional.empty()));
assertThat(result.getText(), is("Tags are NOT updated (5 tags maximum?)"));
- result = commandsManager.processCommand(user, "I'm very smart to post my login url there: " +
- "https://juick.com/settings?hash=VTYZkKV8FWkmu6g1", emptyUri);
+ result = commandsManager.processCommand(user, "I'm very smart to post my login url there" +
+ "", emptyUri);
assertThat(result.getNewMessage().isPresent(), is(true));
- assertThat(result.getNewMessage().get().getText(), is("I'm very smart to post my login url there: " +
- "https://juick.com/settings"));
+ assertFalse(result.getNewMessage().get().getText().contains("VTYZkKV8FWkmu6g1"));
result = commandsManager.processCommand(user, "*корм *juick_ppl *рационализм *? *мюсли а сколько микроморт в дневной порции сверхмюслей?", emptyUri);
assertTrue(result.getNewMessage().isPresent());
}
--
cgit v1.2.3