bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom
coves / internal / core / imageproxy / validation.go
at main 87 lines 2.7 kB view raw
1package imageproxy 2 3import ( 4 "strings" 5 6 "github.com/bluesky-social/indigo/atproto/syntax" 7) 8 9// ValidateDID validates that a DID string matches expected atproto DID formats. 10// It uses the Indigo library's syntax.ParseDID for consistent validation across the codebase. 11// Returns ErrInvalidDID if the DID is invalid. 12func ValidateDID(did string) error { 13 // Check for path traversal attempts before parsing 14 if strings.Contains(did, "..") || strings.Contains(did, "/") || strings.Contains(did, "\\") || strings.Contains(did, "\x00") { 15 return ErrInvalidDID 16 } 17 18 // Use Indigo's DID parser for consistent validation with the rest of the codebase 19 _, err := syntax.ParseDID(did) 20 if err != nil { 21 return ErrInvalidDID 22 } 23 24 return nil 25} 26 27// ValidateCID validates that a CID string is a valid content identifier. 28// It uses the Indigo library's syntax.ParseCID for consistent validation across the codebase. 29// Returns ErrInvalidCID if the CID is invalid. 30func ValidateCID(cid string) error { 31 // Check for path traversal attempts before parsing 32 if strings.Contains(cid, "..") || strings.Contains(cid, "/") || strings.Contains(cid, "\\") || strings.Contains(cid, "\x00") { 33 return ErrInvalidCID 34 } 35 36 // Use Indigo's CID parser for consistent validation with the rest of the codebase 37 _, err := syntax.ParseCID(cid) 38 if err != nil { 39 return ErrInvalidCID 40 } 41 42 return nil 43} 44 45// SanitizePathComponent ensures a string is safe to use as a filesystem path component. 46// It removes or replaces characters that could be used for path traversal attacks. 47// This is used as an additional safety layer beyond DID/CID validation. 48func SanitizePathComponent(s string) string { 49 // Replace any path separators 50 s = strings.ReplaceAll(s, "/", "_") 51 s = strings.ReplaceAll(s, "\\", "_") 52 53 // Remove any path traversal sequences 54 s = strings.ReplaceAll(s, "..", "") 55 56 // Replace colons for filesystem compatibility (Windows and general safety) 57 s = strings.ReplaceAll(s, ":", "_") 58 59 // Remove null bytes 60 s = strings.ReplaceAll(s, "\x00", "") 61 62 return s 63} 64 65// ValidatePreset validates that a preset name is safe and exists. 66// This combines format validation with registry lookup. 67func ValidatePreset(preset string) error { 68 // Check for empty preset 69 if preset == "" { 70 return ErrInvalidPreset 71 } 72 73 // Check for path separators (dangerous characters) 74 // Note: We use ContainsAny for individual chars and Contains for substrings 75 if strings.ContainsAny(preset, "/\\") { 76 return ErrInvalidPreset 77 } 78 79 // Check for path traversal sequences (must check ".." as a substring, not individual dots) 80 if strings.Contains(preset, "..") { 81 return ErrInvalidPreset 82 } 83 84 // Verify preset exists in registry 85 _, err := GetPreset(preset) 86 return err 87}