From 51a2c85954e77068c6afbb4ca54159086220aefd Mon Sep 17 00:00:00 2001 From: Michael Muré Date: Sat, 17 Apr 2021 17:40:11 +0200 Subject: make sure every text input is safe and validated fix #630 --- util/text/transform.go | 30 +++++++++++++++++++++++++++--- util/text/validate.go | 12 ++++++++++++ 2 files changed, 39 insertions(+), 3 deletions(-) (limited to 'util/text') diff --git a/util/text/transform.go b/util/text/transform.go index 59dc4e03..395a57be 100644 --- a/util/text/transform.go +++ b/util/text/transform.go @@ -8,7 +8,7 @@ import ( "golang.org/x/text/transform" ) -func Cleanup(text string) (string, error) { +func Cleanup(text string) string { // windows new line, Github, really ? text = strings.Replace(text, "\r\n", "\n", -1) @@ -23,9 +23,33 @@ func Cleanup(text string) (string, error) { })) sanitized, _, err := transform.String(t, text) if err != nil { - return "", err + // transform.String should never return an error as our transformer doesn't returns one. + // Confirmed with fuzzing. + panic(err) } // trim extra new line not displayed in the github UI but still present in the data - return strings.TrimSpace(sanitized), nil + return strings.TrimSpace(sanitized) +} + +func CleanupOneLine(text string) string { + // remove all unicode control characters *including* + // '\n', '\r' and '\t' + t := runes.Remove(runes.Predicate(unicode.IsControl)) + sanitized, _, err := transform.String(t, text) + if err != nil { + // transform.String should never return an error as our transformer doesn't returns one. + // Confirmed with fuzzing. + panic(err) + } + + // trim extra new line not displayed in the github UI but still present in the data + return strings.TrimSpace(sanitized) +} + +func CleanupOneLineArray(texts []string) []string { + for i := range texts { + texts[i] = CleanupOneLine(texts[i]) + } + return texts } diff --git a/util/text/validate.go b/util/text/validate.go index 51e94fb4..4c3f7065 100644 --- a/util/text/validate.go +++ b/util/text/validate.go @@ -33,6 +33,18 @@ func Safe(s string) bool { return true } +// Safe will tell if a character in the string is considered unsafe +// Currently trigger on all unicode control character +func SafeOneLine(s string) bool { + for _, r := range s { + if unicode.IsControl(r) { + return false + } + } + + return true +} + // ValidUrl will tell if the string contains what seems to be a valid URL func ValidUrl(s string) bool { if strings.Contains(s, "\n") { -- cgit