Verify sticker data in getDataFromLink

2020-08-26 17:16:59 -05:00 · 2020-08-26 17:16:59 -05:00 · aaed0db2e5
commit aaed0db2e5
parent 333feaa81e
5 changed files with 178 additions and 13 deletions
--- a/js/modules/stickers.js
+++ b/js/modules/stickers.js
@ -5,7 +5,8 @@
  navigator,
  reduxStore,
  reduxActions,
-  URL
+  URL,
+  URLSearchParams
 */

 const BLESSED_PACKS = {
@ -27,10 +28,11 @@ const BLESSED_PACKS = {
  },
 };

+const VALID_PACK_ID_REGEXP = /^[0-9a-f]{32}$/i;
+
 const { isNumber, pick, reject, groupBy, values } = require('lodash');
 const pMap = require('p-map');
 const Queue = require('p-queue').default;
-const qs = require('qs');

 const { makeLookup } = require('../../ts/util/makeLookup');
 const {
@ -65,6 +67,7 @@ module.exports = {
  load,
  maybeDeletePack,
  downloadQueuedPacks,
+  isPackIdValid,
  redactPackId,
  removeEphemeralPack,
  savePackMetadata,
@ -90,18 +93,36 @@ async function load() {
 }

 function getDataFromLink(link) {
-  const { hash } = new URL(link);
+  let url;
+  try {
+    url = new URL(link);
+  } catch (err) {
+    return null;
+  }
+
+  const { hash } = url;
  if (!hash) {
    return null;
  }

-  const data = hash.slice(1);
-  const params = qs.parse(data);
+  let params;
+  try {
+    params = new URLSearchParams(hash.slice(1));
+  } catch (err) {
+    return null;
+  }

-  return {
-    id: params.pack_id,
-    key: params.pack_key,
-  };
+  const id = params.get('pack_id');
+  if (!isPackIdValid(id)) {
+    return null;
+  }
+
+  const key = params.get('pack_key');
+  if (!key) {
+    return null;
+  }
+
+  return { id, key };
 }

 function getInstalledStickerPacks() {
@ -231,6 +252,10 @@ function getInitialState() {
  return initialState;
 }

+function isPackIdValid(packId) {
+  return typeof packId === 'string' && VALID_PACK_ID_REGEXP.test(packId);
+}
+
 function redactPackId(packId) {
  return `[REDACTED]${packId.slice(-3)}`;
 }