Don't join or get metadata of an invalid channel

2021-03-30 10:37:45 +02:00 · 2021-03-30 10:37:45 +02:00 · cee0a2c577
parent 6d6bd9908e
commit cee0a2c577
3 changed files with 16 additions and 0 deletions
--- a/www/common/common-hash.js
+++ b/www/common/common-hash.js
@ -644,6 +644,10 @@ Version 4: Data URL when not a realtime link yet (new pad or "static" app)
            '/' + curvePublic.replace(/\//g, '-') + '/';
    };

+    Hash.isValidChannel = function (channelId) {
+        return /^[a-zA-Z0-9]{32,48}$/.test(channelId);
+    };
+
    Hash.isValidHref = function (href) {
        // Non-empty href?
        if (!href) { return; }
--- a/www/common/outer/async-store.js
+++ b/www/common/outer/async-store.js
@ -1661,6 +1661,9 @@ define([
            if (data.versionHash) {
                return void getVersionHash(clientId, data);
            }
+            if (!Hash.isValidChannel(data.channel)) {
+                return void postMessage(clientId, "PAD_ERROR", 'INVALID_CHAN');
+            }
            var isNew = typeof channels[data.channel] === "undefined";
            var channel = channels[data.channel] = channels[data.channel] || {
                queue: [],
@ -2043,6 +2046,10 @@ define([
            if (store.offline || !store.anon_rpc) { return void cb({ error: 'OFFLINE' }); }
            if (!data.channel) { return void cb({ error: 'ENOTFOUND'}); }
            if (data.channel.length !== 32) { return void cb({ error: 'EINVAL'}); }
+            if (!Hash.isValidChannel(data.channel)) {
+                Feedback.send('METADATA_INVALID_CHAN');
+                return void cb({ error: 'EINVAL' });
+            }
            store.anon_rpc.send('GET_METADATA', data.channel, function (err, obj) {
                if (err) { return void cb({error: err}); }
                var metadata = (obj && obj[0]) || {};
--- a/www/common/outer/userObject.js
+++ b/www/common/outer/userObject.js
@ -829,6 +829,11 @@ define([
                            console.error(e);
                        }
                    }
+                    if (!Hash.isValidChannel(el.channel)) {
+                        // XXX delete channel?
+                        console.error('Remove invalid channel', el.channel, el);
+                        // toClean.push(id);
+                    }

                    if ((loggedIn || config.testMode) && rootFiles.indexOf(id) === -1) {
                        debug("An element in filesData was not in ROOT, TEMPLATE or TRASH.", id, el);