From bd1e2e3a58ebd702306e7a6e2df985ac07e5f7d8 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 17 Jul 2020 19:11:28 -0500
Subject: [PATCH] Validate alias IDs

---
 CHANGELOG.md        |  1 +
 lib/pleroma/user.ex | 13 +++++++++++++
 test/user_test.exs  |  7 +++++++
 3 files changed, 21 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a02f28241..ef3235804 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -63,6 +63,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Support pagination in emoji packs API (for packs and for files in pack)
 - Support for viewing instances favicons next to posts and accounts
 - Added Pleroma.Upload.Filter.Exiftool as an alternate EXIF stripping mechanism targeting GPS/location metadata.
+- Ability to set ActivityPub aliases for follower migration.
 
 <details>
   <summary>API Changes</summary>
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 9b756c9a0..66664235b 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -47,6 +47,8 @@ defmodule Pleroma.User do
 
   # credo:disable-for-next-line Credo.Check.Readability.MaxLineLength
   @email_regex ~r/^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/
+  # credo:disable-for-next-line Credo.Check.Readability.MaxLineLength
+  @url_regex ~r/https?:\/\/[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&\/=]*)/
 
   @strict_local_nickname_regex ~r/^[a-zA-Z\d]+$/
   @extended_local_nickname_regex ~r/^[a-zA-Z\d_-]+$/
@@ -2278,6 +2280,7 @@ defmodule Pleroma.User do
 
     user
     |> change(%{ap_aliases: alias_set})
+    |> validate_ap_aliases()
     |> Repo.update()
   end
 
@@ -2290,6 +2293,16 @@ defmodule Pleroma.User do
 
     user
     |> change(%{ap_aliases: alias_set})
+    |> validate_ap_aliases()
     |> Repo.update()
   end
+
+  defp validate_ap_aliases(changeset) do
+    validate_change(changeset, :ap_aliases, fn :ap_aliases, ap_aliases ->
+      case Enum.all?(ap_aliases, fn a -> Regex.match?(@url_regex, a) end) do
+        true -> []
+        false -> [ap_aliases: "Invalid ap_id format. Must be a URL."]
+      end
+    end)
+  end
 end
diff --git a/test/user_test.exs b/test/user_test.exs
index db6e4872e..29855b9cd 100644
--- a/test/user_test.exs
+++ b/test/user_test.exs
@@ -1876,6 +1876,13 @@ defmodule Pleroma.UserTest do
            ]
   end
 
+  test "add_aliases/2 with invalid alias" do
+    user = insert(:user)
+    {:error, _} = User.add_aliases(user, ["invalid_alias"])
+    {:error, _} = User.add_aliases(user, ["http://still_invalid"])
+    {:error, _} = User.add_aliases(user, ["http://validalias.com/users/dude", "invalid_alias"])
+  end
+
   test "delete_aliases/2" do
     user =
       insert(:user,
-- 
2.49.0