Merge pull request #61 from uma-universal-money-address/fix/sanitize

Sanitize user names when parsing lnurlp urls

uma-sdk/src/commonMain/kotlin/me/uma/protocol/LnurlpRequest.kt

@@ -102,6 +102,11 @@ data class LnurlpRequest(
                 } else {
                     ""
                 }
+            val username = urlBuilder.pathSegments[3]
+            val usernameRegex = "^[A-Za-z0-9._$+-]+$".toRegex()
+            if (!username.matches(usernameRegex)) {
+                throw IllegalArgumentException("Invalid username. Only alphanumeric characters and ._$+- are allowed.")
+            }
             val receiverAddress = "${urlBuilder.pathSegments[3]}@${urlBuilder.host}$port"
             val vaspDomain = urlBuilder.parameters["vaspDomain"]
             val nonce = urlBuilder.parameters["nonce"]

uma-sdk/src/commonMain/kotlin/me/uma/protocol/PayRequest.kt

@@ -82,6 +82,7 @@ sealed interface PayRequest {
                 payerData,
                 requestedPayeeData,
                 comment,
+                invoiceUUID
             )
         }
     }

uma-sdk/src/commonTest/kotlin/me/uma/UmaTests.kt

@@ -227,6 +227,16 @@ class UmaTests {
         assertEquals(payreq, decodedPayReq)
     }
 
+    @Test
+    fun `test parse Lnurlp URL with invalid user`() {
+        val umaLnurlpQuery =
+            "https://example.com/.well-known/lnurlp/\$bob(?vaspDomain=example.com&nonce=123&signature=123&" +
+                "isSubjectToTravelRule=true&timestamp=123&umaVersion=1.0"
+        assertThrows<IllegalArgumentException> {
+            UmaProtocolHelper().parseLnurlpRequest(umaLnurlpQuery)
+        }
+    }
+
     @Test
     fun `test isUmaLnurlpQuery future-proofing`() {
         val umaLnurlpQuery =