Fix SUPPORTED_MEDIA_DOMAINS regex whitelist (#3459)

The `SUPPORTED_MEDIA_DOMAINS` regex whitelist, used to check if media link comes from trusted hosts is invalid. It does not expose a security risk or I couldn't find an example for such as of now, but if someone would add a subdomain host to it using the same pattern, it would. A counter example below: ```js const SUPPORTED_MEDIA_DOMAINS = /^([^.]+\.)*(ytimg.com|cdninstagram.com|redd.it|imgur.com|fbcdn.net|pinimg.com)$/i; console.log('Testing redd.it: ' + SUPPORTED_MEDIA_DOMAINS.test('redd.it')); console.log('Testing reddjit: ' + SUPPORTED_MEDIA_DOMAINS.test('reddjit')); ``` Output: ``` $ node example.js Testing redd.it: true Testing reddjit: true ``` --- To be more clear, if someone would extend the regex in the future with e.g. `media.redd.it`, an attacker would be able to create a `mediaXredd.it` domain and bypass the whitelist. --- A visualisation of the incorrect regex can be found on https://regexper.com/#%5E%28%5B%5E.%5D%2B%5C.%29*%28ytimg.com%7Ccdninstagram.com%7Credd.it%7Cimgur.com%7Cfbcdn.net%7Cpinimg.com%29%24 The issue has been found with LGTM: b626ef0b64/files/js/modules/link_previews.js (xdabadfc2bf20f0c3):1
2019-07-16 22:28:16 +02:00 · 2019-07-16 22:28:16 +02:00 · fa4b2d412f
commit fa4b2d412f
parent f2dd10cd1a
1 changed files with 1 additions and 1 deletions
--- a/js/modules/link_previews.js
+++ b/js/modules/link_previews.js
@ -68,7 +68,7 @@ function isStickerPack(link) {
  return (link || '').startsWith('https://signal.org/addstickers/');
 }

-const SUPPORTED_MEDIA_DOMAINS = /^([^.]+\.)*(ytimg.com|cdninstagram.com|redd.it|imgur.com|fbcdn.net|pinimg.com)$/i;
+const SUPPORTED_MEDIA_DOMAINS = /^([^.]+\.)*(ytimg\.com|cdninstagram\.com|redd\.it|imgur\.com|fbcdn\.net|pinimg\.com)$/i;
 function isMediaLinkInWhitelist(link) {
  try {
    const url = new URL(link);