Improved user text input sanitisation and extended supported chars in DB (#122)

Author: zefir-git

src/main/java/pro/cloudnode/smp/bankaccounts/BankConfig.java

@@ -24,7 +24,9 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.Set;
 import java.util.TimeZone;
+import java.util.regex.Pattern;
 
 public final class BankConfig {
     public @NotNull FileConfiguration config;
@@ -421,6 +423,11 @@ public int invoicePerPage() {
         return config.getInt("invoice.per-page");
     }
 
+    // disallowed-regex
+    public @NotNull Pattern disallowedRegex() {
+        return Pattern.compile(Objects.requireNonNull(config.getString("disallowed-regex")));
+    }
+
     // messages.command-usage
     public @NotNull Component messagesCommandUsage(final @NotNull String command, final @NotNull String arguments) {
         return MiniMessage.miniMessage().deserialize(
@@ -624,10 +631,10 @@ public int invoicePerPage() {
     }
 
     // messages.errors.disallowed-characters
-    public @NotNull Component messagesErrorsDisallowedCharacters(final @NotNull String characters) {
+    public @NotNull Component messagesErrorsDisallowedCharacters(final @NotNull Set<@NotNull String> characters) {
         return MiniMessage.miniMessage().deserialize(
                 Objects.requireNonNull(config.getString("messages.errors.disallowed-characters")),
-                Placeholder.unparsed("characters", characters)
+                Placeholder.unparsed("characters", String.join("", characters))
         );
     }
 

src/main/java/pro/cloudnode/smp/bankaccounts/Command.java

@@ -12,6 +12,10 @@
 
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 public abstract class Command implements CommandExecutor, TabCompleter {
     /**
@@ -81,4 +85,18 @@ public final boolean onCommand(final @NotNull CommandSender sender, final @NotNu
         final @Nullable List<@NotNull String> suggestions = tab(sender, args);
         return Optional.ofNullable(suggestions).map(s -> s.stream().filter(suggestion -> suggestion.toLowerCase().startsWith(args[args.length - 1].toLowerCase())).toList()).orElse(null);
     }
+
+    protected static @NotNull Set<@NotNull String> getDisallowedCharacters(final @Nullable String input) {
+        if (input == null) return Set.of();
+        final @NotNull Set<@NotNull String> chars = input
+                .codePoints()
+                .filter(codePoint -> codePoint > 0xFFFF)
+                .mapToObj(codePoint -> new String(Character.toChars(codePoint)))
+                .collect(Collectors.toSet());
+        final @NotNull Matcher matcher = BankAccounts.getInstance().config().disallowedRegex().matcher(input);
+        while (matcher.find()) chars.add(matcher.group());
+        if (input.contains("<")) chars.add("<");
+        if (input.contains(">")) chars.add(">");
+        return chars;
+    }
 }

src/main/java/pro/cloudnode/smp/bankaccounts/commands/BankCommand.java

@@ -20,6 +20,7 @@
 import java.util.Arrays;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -382,8 +383,9 @@ public static boolean setName(final @NotNull CommandSender sender, final @NotNul
             name = name.length() > 32 ? name.substring(0, 32) : name;
             name = name.isEmpty() ? null : name;
 
-            if (name != null && (name.contains("<") || name.contains(">")))
-                return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters("<>"));
+            final @NotNull Set<@NotNull String> disallowedChars = getDisallowedCharacters(name);
+            if (!disallowedChars.isEmpty())
+                return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters(disallowedChars));
 
             account.get().name = name;
             account.get().update();
@@ -499,10 +501,11 @@ public static boolean transfer(final @NotNull CommandSender sender, final @NotNu
 
         @Nullable String description = args.length > 3 ? String
                 .join(" ", Arrays.copyOfRange(argsCopy, 3, argsCopy.length)).trim() : null;
-        if (description != null && description.length() > 64) description = description.substring(0, 64);
+        if (description != null && description.length() > 64) description = description.substring(0, 63) + "…";
 
-        if (description != null && (description.contains("<") || description.contains(">")))
-            return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters("<>"));
+        final @NotNull Set<@NotNull String> disallowedChars = getDisallowedCharacters(description);
+        if (!disallowedChars.isEmpty())
+            return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters(disallowedChars));
 
         if (!confirm && BankAccounts.getInstance().config().transferConfirmationEnabled()) {
             final @NotNull BigDecimal minAmount = BankAccounts.getInstance().config().transferConfirmationMinAmount();

src/main/java/pro/cloudnode/smp/bankaccounts/commands/InvoiceCommand.java

@@ -17,6 +17,7 @@
 import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Stream;
 
 public final class InvoiceCommand extends Command {
@@ -176,7 +177,12 @@ public static boolean create(final @NotNull CommandSender sender, @NotNull Strin
         if (account.get().frozen)
             return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsFrozen(account.get()));
 
-        final @Nullable String description = argsCopy.length < 3 ? null : String.join(" ", Arrays.copyOfRange(argsCopy, 2, argsCopy.length));
+        @Nullable String description = argsCopy.length < 3 ? null : String.join(" ", Arrays.copyOfRange(argsCopy, 2, argsCopy.length));
+        if (description != null && description.length() > 64) description = description.substring(0, 63) + "…";
+
+        final @NotNull Set<@NotNull String> disallowedChars = getDisallowedCharacters(description);
+        if (!disallowedChars.isEmpty())
+            return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters(disallowedChars));
 
         final @NotNull Invoice invoice = new Invoice(account.get(), amount, description, target);
         invoice.insert();

src/main/java/pro/cloudnode/smp/bankaccounts/commands/POSCommand.java

@@ -20,6 +20,7 @@
 import java.util.Arrays;
 import java.util.Date;
 import java.util.Optional;
+import java.util.Set;
 
 /**
  * Create a POS at the location the player is looking at.
@@ -76,10 +77,11 @@ public boolean execute(final @NotNull CommandSender sender, final @NotNull Strin
         if (POS.get(chest).isPresent()) return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsPosAlreadyExists());
 
         @Nullable String description = args.length > 2 ? String.join(" ", Arrays.copyOfRange(args, 2, args.length)) : null;
-        if (description != null && description.length() > 64) description = description.substring(0, 64);
+        if (description != null && description.length() > 64) description = description.substring(0, 63) + "…";
 
-        if (description != null && (description.contains("<") || description.contains(">")))
-            return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters("<>"));
+        final @NotNull Set<@NotNull String> disallowedChars = getDisallowedCharacters(description);
+        if (!disallowedChars.isEmpty())
+            return sendMessage(sender, BankAccounts.getInstance().config().messagesErrorsDisallowedCharacters(disallowedChars));
 
         final @NotNull POS pos = new POS(target.getLocation(), price, description, account.get(), new Date());
         pos.save();

src/main/resources/config.yml

@@ -257,6 +257,12 @@ invoice:
     # Number of invoices to return per page
     per-page: 10
 
+# Advanced: do not edit unless you have good understanding of RegEx
+# Regular expression for disallowed characters user-provided text inputs
+# e.g. account name, transaction description, POS description, invoice description
+# Note: additionally <> and characters with code point above 0xFFFF are always disallowed.
+disallowed-regex: [\x00-\x08\x0B-\x1F\x7F-\x9F\u2400-\u2421\u200B-\u200D\uFEFF\uD800-\uDB7F\uDFFF]
+
 # Messages
 messages:
     # Command usage message

src/main/resources/db-init/mysql.sql

@@ -54,3 +54,15 @@ WHERE `world` NOT LIKE '%-%-%-%-%';
 
 ALTER TABLE `pos`
     CHANGE COLUMN `world` `world` CHAR(36) CHARACTER SET latin1 COLLATE latin1_general_ci NOT NULL;
+
+ALTER TABLE `bank_accounts`
+    CHANGE COLUMN `name` `name` VARCHAR(24) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL;
+
+ALTER TABLE `bank_transactions`
+    CHANGE COLUMN `description` `description` VARCHAR(64) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL;
+
+ALTER TABLE `pos`
+    CHANGE COLUMN `description` `description` VARCHAR(64) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL;
+
+ALTER TABLE `bank_invoices`
+    CHANGE COLUMN `description` `description` VARCHAR(64) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci DEFAULT NULL;