From 3431b16ce47f22d5448296d2b8a57e42af05636f Mon Sep 17 00:00:00 2001 From: Jeremy Klein Date: Fri, 20 Sep 2024 18:03:20 -0700 Subject: [PATCH 1/2] Sanitize user names when parsing lnurlp urls --- uma/uma.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/uma/uma.go b/uma/uma.go index c9156a9..97d89f2 100644 --- a/uma/uma.go +++ b/uma/uma.go @@ -11,6 +11,7 @@ import ( "math/big" "net/http" "net/url" + "regexp" "strconv" "strings" "time" @@ -313,7 +314,12 @@ func ParseLnurlpRequestWithReceiverDomain(url url.URL, receiverDomain string) (* if len(pathParts) != 4 || pathParts[1] != ".well-known" || pathParts[2] != "lnurlp" { return nil, errors.New("invalid uma request path") } - receiverAddress := pathParts[3] + "@" + receiverDomain + username := pathParts[3] + var validUsernameRegex = regexp.MustCompile(`^[$a-zA-Z0-9._\-+]+$`) + if !validUsernameRegex.MatchString(username) { + return nil, errors.New("invalid uma username") + } + receiverAddress := username + "@" + receiverDomain nilIfEmpty := func(s string) *string { if s == "" { From 364e78bffd8f81a30dbb23b1635e345c9e38009e Mon Sep 17 00:00:00 2001 From: Jeremy Klein Date: Fri, 20 Sep 2024 18:08:32 -0700 Subject: [PATCH 2/2] Add a test --- uma/test/uma_test.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/uma/test/uma_test.go b/uma/test/uma_test.go index ff9b39f..f42e4e8 100644 --- a/uma/test/uma_test.go +++ b/uma/test/uma_test.go @@ -44,6 +44,13 @@ func TestParse(t *testing.T) { assert.ObjectsAreEqual(expectedQuery, *query) } +func TestInvalidUserName(t *testing.T) { + urlString := "https://vasp2.com/.well-known/lnurlp/bob<>%20?signature=signature&nonce=12345&vaspDomain=vasp1.com&umaVersion=1.0&isSubjectToTravelRule=true×tamp=12345678" + urlObj, _ := url.Parse(urlString) + _, err := uma.ParseLnurlpRequest(*urlObj) + require.Error(t, err) +} + func TestIsUmaQueryValid(t *testing.T) { urlString := "https://vasp2.com/.well-known/lnurlp/bob?signature=signature&nonce=12345&vaspDomain=vasp1.com&umaVersion=1.0&isSubjectToTravelRule=true×tamp=12345678" urlObj, _ := url.Parse(urlString)