Disallow some unicode sequences in link previews.

2022-03-25 14:34:21 -04:00 · 2022-03-25 14:34:21 -04:00 · 72777bc6cd
commit 72777bc6cd
parent f2046c3c05
2 changed files with 11 additions and 0 deletions
--- a/app/src/main/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtil.java
+++ b/app/src/main/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtil.java
@ -39,6 +39,7 @@ public final class LinkPreviewUtil {
  private static final Pattern DOMAIN_PATTERN             = Pattern.compile("^(https?://)?([^/]+).*$");
  private static final Pattern ALL_ASCII_PATTERN          = Pattern.compile("^[\\x00-\\x7F]*$");
  private static final Pattern ALL_NON_ASCII_PATTERN      = Pattern.compile("^[^\\x00-\\x7F]*$");
+  private static final Pattern ILLEGAL_CHARACTERS_PATTERN = Pattern.compile("[\u202C\u202D\u202E\u2500-\u25FF]");
  private static final Pattern OPEN_GRAPH_TAG_PATTERN     = Pattern.compile("<\\s*meta[^>]*property\\s*=\\s*\"\\s*og:([^\"]+)\"[^>]*/?\\s*>");
  private static final Pattern ARTICLE_TAG_PATTERN        = Pattern.compile("<\\s*meta[^>]*property\\s*=\\s*\"\\s*article:([^\"]+)\"[^>]*/?\\s*>");
  private static final Pattern OPEN_GRAPH_CONTENT_PATTERN = Pattern.compile("content\\s*=\\s*\"([^\"]*)\"");
@ -80,6 +81,10 @@ public final class LinkPreviewUtil {
  }

  public static boolean isLegalUrl(@NonNull String url) {
+    if (ILLEGAL_CHARACTERS_PATTERN.matcher(url).find()) {
+      return false;
+    }
+
    Matcher matcher = DOMAIN_PATTERN.matcher(url);

    if (matcher.matches()) {
--- a/app/src/test/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtilTest_isLegal.java
+++ b/app/src/test/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtilTest_isLegal.java
@ -30,6 +30,12 @@ public class LinkPreviewUtilTest_isLegal {
        { "http://foo.кц.рф",                      false },
        { "https://abcdefg.onion",                 false },
        { "https://abcdefg.i2p",                   false },
+        { "кц.рф\u202C",                           false },
+        { "кц.рф\u202D",                           false },
+        { "кц.рф\u202E",                           false },
+        { "кц.рф\u2500",                           false },
+        { "кц.рф\u25AA",                           false },
+        { "кц.рф\u25FF",                           false },
        { "",                                      false }
    });
  }