Sanitize user names when parsing lnurlp urls

uma-universal-money-address · Sep 21, 2024 · 3431b16 · 3431b16
1 parent 7c8d698
commit 3431b16
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/uma/uma.go b/uma/uma.go
@@ -11,6 +11,7 @@ import (
 	"math/big"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -313,7 +314,12 @@ func ParseLnurlpRequestWithReceiverDomain(url url.URL, receiverDomain string) (*
 	if len(pathParts) != 4 || pathParts[1] != ".well-known" || pathParts[2] != "lnurlp" {
 		return nil, errors.New("invalid uma request path")
 	}
-	receiverAddress := pathParts[3] + "@" + receiverDomain
+	username := pathParts[3]
+	var validUsernameRegex = regexp.MustCompile(`^[$a-zA-Z0-9._\-+]+$`)
+	if !validUsernameRegex.MatchString(username) {
+		return nil, errors.New("invalid uma username")
+	}
+	receiverAddress := username + "@" + receiverDomain
 
 	nilIfEmpty := func(s string) *string {
 		if s == "" {