util.stanza: Add stricter validation for data passed to stanza builder API

2025-04-04 05:37:39 +03:00 · 2018-03-16 14:51:24 +00:00 · 2018-03-16 14:51:24 +00:00 · 6d7cd57d44
commit 6d7cd57d44
parent b7fd84b6e5
2 changed files with 63 additions and 0 deletions
--- a/spec/util_stanza_spec.lua
+++ b/spec/util_stanza_spec.lua
@ -164,4 +164,38 @@ describe("util.stanza", function()
 			assert.are.equal(r.tags[1].tags[1].name, "service-unavailable");
 		end);
 	end);
+
+	describe("#invalid", function ()
+		it("name should be rejected", function ()
+			assert.has_error(function ()
+				st.stanza(1234);
+			end);
+			assert.has_error(function ()
+				st.stanza({});
+			end);
+			assert.has_error(function ()
+				st.stanza();
+			end);
+			assert.has_error(function ()
+				st.stanza("");
+			end);
+			assert.has_error(function ()
+				st.stanza(string.char(0xC0));
+			end);
+			assert.has_error(function ()
+				st.stanza(string.char(0xF4, 0x90, 0x80, 0x80));
+			end);
+			assert.has_error(function ()
+				st.stanza("<>");
+			end);
+			assert.has_error(function ()
+				st.stanza("&");
+			end);
+		end);
+		it("UTF-8 should be rejected", function ()
+			assert.has_error(function ()
+				st.stanza("tag"):text("hello "..string.char(0xF4, 0x90, 0x80, 0x80).." world");
+			end);
+		end);
+	end);
 end);
--- a/util/stanza.lua
+++ b/util/stanza.lua
@ -7,6 +7,7 @@
 --


+local assert        =        assert;
 local t_insert      =  table.insert;
 local t_remove      =  table.remove;
 local t_concat      =  table.concat;
@ -23,6 +24,8 @@ local s_sub         =    string.sub;
 local s_find        =   string.find;
 local os            =            os;

+local valid_utf8 = require "util.encodings".utf8.valid;
+
 local do_pretty_printing = not os.getenv("WINDIR");
 local getstyle, getstring;
 if do_pretty_printing then
@ -42,7 +45,32 @@ local _ENV = nil;
 local stanza_mt = { __name = "stanza" };
 stanza_mt.__index = stanza_mt;

+local function check_name(name)
+	assert(type(name) == "string", "tag name is not a string, "..type(name));
+	assert(#name > 0, "tag name is empty");
+	assert(not s_find(name, "[<>& '\"]"), "tag name contains invalid characters");
+	assert(valid_utf8(name), "tag name is invalid utf8");
+end
+local function check_attr(attr)
+	if attr ~= nil then
+		assert(type(attr) == "table", "attribute is not a table");
+		for k, v in pairs(attr) do
+			assert(type(k) == "string", "non-string key in attributes");
+			assert(valid_utf8(k), "attribute name is not valid utf8");
+			assert(type(v) == "string", "non-string value in attributes");
+			assert(valid_utf8(v), "attribute value is not valid utf8");
+		end
+	end
+end
+local function check_text(text)
+	assert(type(text) == "string", "text is not a string");
+	assert(valid_utf8(text), "text is not valid utf8");
+end
+
 local function new_stanza(name, attr, namespaces)
+	assert(name)
+	check_name(name);
+	check_attr(attr);
 	local stanza = { name = name, attr = attr or {}, namespaces = namespaces, tags = {} };
 	return setmetatable(stanza, stanza_mt);
 end
@ -69,6 +97,7 @@ function stanza_mt:tag(name, attr, namespaces)
 end

 function stanza_mt:text(text)
+	check_text(text);
 	local last_add = self.last_add;
 	(last_add and last_add[#last_add] or self):add_direct_child(text);
 	return self;