krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-17 22:57:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(regexp): escape inputs

Browse Source
This commit is contained in:
Matteo Pagliazzi
2020-04-28 16:00:17 +02:00
parent 783b8995b8
commit b947c714f0
3 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
website/server/controllers/api-v3/members.js
View File

@@ -1,3 +1,4 @@
import escapeRegExp from 'lodash/escapeRegExp';
import { authWithHeaders } from '../../middlewares/auth'; import { authWithHeaders } from '../../middlewares/auth';
import { import {
model as User, model as User,
@@ -354,7 +355,8 @@ function _getMembersForItem (type) {
if (req.query.search) { if (req.query.search) {
// Creates a RegExp expression when querying for profile.name // Creates a RegExp expression when querying for profile.name
query['profile.name'] = { $regex: new RegExp(req.query.search, 'i') }; const escapedSearch = escapeRegExp(req.query.search);
query['profile.name'] = { $regex: new RegExp(escapedSearch, 'i') };
} }
} else if (type === 'group-invites') { } else if (type === 'group-invites') {
if (group.type === 'guild') { // eslint-disable-line no-lonely-if if (group.type === 'guild') { // eslint-disable-line no-lonely-if

6
website/server/libs/stringUtils.js
View File

@@ -1,3 +1,4 @@
import escapeRegExp from 'lodash/escapeRegExp';
export function removePunctuationFromString (str) { export function removePunctuationFromString (str) {
return str.replace(/[.,/#!@$%^&;:{}=\-_`~()]/g, ' '); return str.replace(/[.,/#!@$%^&;:{}=\-_`~()]/g, ' ');
@@ -5,7 +6,10 @@ export function removePunctuationFromString (str) {
export function getMatchesByWordArray (str, wordsToMatch) { export function getMatchesByWordArray (str, wordsToMatch) {
const matchedWords = []; const matchedWords = [];
const wordRegexs = wordsToMatch.map(word => new RegExp(`\\b([^a-z]+)?${word}([^a-z]+)?\\b`, 'i')); const wordRegexs = wordsToMatch.map(word => {
const escapedWord = escapeRegExp(word);
return new RegExp(`\\b([^a-z]+)?${escapedWord}([^a-z]+)?\\b`, 'i');
});
for (let i = 0; i < wordRegexs.length; i += 1) { for (let i = 0; i < wordRegexs.length; i += 1) {
const regEx = wordRegexs[i]; const regEx = wordRegexs[i];
const match = str.match(regEx); const match = str.match(regEx);

6
website/server/libs/user/validation.js
View File

@@ -1,8 +1,12 @@
import escapeRegExp from 'lodash/escapeRegExp';
import bannedSlurs from '../bannedSlurs'; import bannedSlurs from '../bannedSlurs';
import { getMatchesByWordArray } from '../stringUtils'; import { getMatchesByWordArray } from '../stringUtils';
import forbiddenUsernames from '../forbiddenUsernames'; import forbiddenUsernames from '../forbiddenUsernames';
const bannedSlurRegexs = bannedSlurs.map(word => new RegExp(`.*${word}.*`, 'i')); const bannedSlurRegexs = bannedSlurs.map(word => {
const escapedWord = escapeRegExp(word);
return new RegExp(`.*${escapedWord}.*`, 'i');
});
export function nameContainsSlur (username) { export function nameContainsSlur (username) {
for (let i = 0; i < bannedSlurRegexs.length; i += 1) { for (let i = 0; i < bannedSlurRegexs.length; i += 1) {