Merge pull request #47 from uma-universal-money-address/fix/sanitize

Sanitize user names when parsing lnurlp urls
uma-universal-money-address · Sep 21, 2024 · 7e166b7 · 7e166b7
2 parents 7c8d698 + 364e78b
commit 7e166b7
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/uma/test/uma_test.go b/uma/test/uma_test.go
@@ -44,6 +44,13 @@ func TestParse(t *testing.T) {
 	assert.ObjectsAreEqual(expectedQuery, *query)
 }
 
+func TestInvalidUserName(t *testing.T) {
+	urlString := "https://vasp2.com/.well-known/lnurlp/bob<>%20?signature=signature&nonce=12345&vaspDomain=vasp1.com&umaVersion=1.0&isSubjectToTravelRule=true&timestamp=12345678"
+	urlObj, _ := url.Parse(urlString)
+	_, err := uma.ParseLnurlpRequest(*urlObj)
+	require.Error(t, err)
+}
+
 func TestIsUmaQueryValid(t *testing.T) {
 	urlString := "https://vasp2.com/.well-known/lnurlp/bob?signature=signature&nonce=12345&vaspDomain=vasp1.com&umaVersion=1.0&isSubjectToTravelRule=true&timestamp=12345678"
 	urlObj, _ := url.Parse(urlString)

diff --git a/uma/uma.go b/uma/uma.go
@@ -11,6 +11,7 @@ import (
 	"math/big"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -313,7 +314,12 @@ func ParseLnurlpRequestWithReceiverDomain(url url.URL, receiverDomain string) (*
 	if len(pathParts) != 4 || pathParts[1] != ".well-known" || pathParts[2] != "lnurlp" {
 		return nil, errors.New("invalid uma request path")
 	}
-	receiverAddress := pathParts[3] + "@" + receiverDomain
+	username := pathParts[3]
+	var validUsernameRegex = regexp.MustCompile(`^[$a-zA-Z0-9._\-+]+$`)
+	if !validUsernameRegex.MatchString(username) {
+		return nil, errors.New("invalid uma username")
+	}
+	receiverAddress := username + "@" + receiverDomain
 
 	nilIfEmpty := func(s string) *string {
 		if s == "" {