Disallow slashes and other naughty strings in project names

[mattbk]

Per some security researchers, we get project names like this:

• /www.evil.com/user_ip.php?gratipay project-review#313 /www.evil.com/user_ip.php?gratipay
• //www.google.com/?><x> project-review#312 //www.google.com/?>
• //www.google.com/? project-review#311 //www.google.com/?

All of these break the URL, so the project page can't be reached and needs to be manually removed from the database.

Not a security issue, but is an annoyance and could be used for spam.

[chadwhitacre]

@dmk246 @EdOverflow Would one of you be able to cross-link this to the relevant HackerOne ticket?

[EdOverflow]

@whit537 Done. https://hackerone.com/reports/176396

[mattbk]

Potentially useful? https://github.com/minimaxir/big-list-of-naughty-strings

[mattbk]

These types of names also produce errors on the front page (FD):

there is one failing request to
https://gratipay.com/x.x/?>/image?size=small, which returns a 404 error.

[mattbk]

NB, to delete existing bad projects, use branch.sql.
http://gratipay.slackarchive.io/gratipay/-/1488556344.00768/1488986867.00782/1488986782007817/

[mattbk]

Interesting.

TEAM_NAME_PATTERN = re.compile(r'^(?=.*[A-Za-z])([A-Za-z0-9.,-_ ]+)$')

[mattbk]

Those are the required characters. At least one letter and then you can have some other stuff that isn't required.

/me wanders off to learn how to regex out / and ? at the same time...

[chadwhitacre]

@mattbk I'm pretty sure there's a bug in the regex because - indicates a range encompassing all of the ASCII characters between , and _. If this hypothesis is correct than the way to fix is probably for the - to be the last character in the set.

[chadwhitacre]

Note that there's another similar regex for usernames which may have the same bug.

[mattbk]

I will try that.