From c2eb030f9d57890fbec6d3fe98688be71fdfb243 Mon Sep 17 00:00:00 2001
From: Lia Lenckowski <lialenck@protonmail.com>
Date: Tue, 29 Aug 2023 00:20:10 +0200
Subject: warn about sqli-type attacks with emails, and make them a bit harder

---
 fastbangs.yaml          | 3 +++
 src/Data/PendingBang.hs | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/fastbangs.yaml b/fastbangs.yaml
index d184bae..1927761 100644
--- a/fastbangs.yaml
+++ b/fastbangs.yaml
@@ -20,4 +20,7 @@ admin-pw-hash: ""
 # Users can leave their email in order to be notified when their bang is
 # accepted/rejected. In order to send emails, the following command (if not
 # commented out) will receive as arguments, in order: recipient, subject, body
+# HUGE WARNING: THE ARGUMENTS ARE UNTRUSTED USER INPUT. Users can enter almost
+# everything as their email address, so not being careful can easily lead to SQLI-type
+# vulnerabilities, and possibly remote command execution, so be careful.
 #email-command: "/path/to/your/email/script"
diff --git a/src/Data/PendingBang.hs b/src/Data/PendingBang.hs
index 05fafba..3a2aaa1 100644
--- a/src/Data/PendingBang.hs
+++ b/src/Data/PendingBang.hs
@@ -45,5 +45,11 @@ instance FromJSON PendingBang where
 
 verifyPendingBang :: PendingBang -> Bool
 verifyPendingBang (PendingBang n u dp mayEm) =
-    T.all isAlphaNum n && all ((<255) . T.length) strings
+    T.all isAlphaNum n &&
+    all ((<255) . T.length) strings &&
+    emailOk mayEm
   where strings = [n, u, dp] <> maybeToList mayEm
+        emailOk Nothing = True
+        emailOk (Just e) =
+            T.all (\c -> isAlphaNum c || c `T.elem` "@-.") e &&
+            T.take 1 e /= "-"
-- 
cgit v1.2.3-70-g09d2