From 72777bc6cdcef31325b5e2f8ebe1ea4712ee3f66 Mon Sep 17 00:00:00 2001
From: Greyson Parrelli <greyson@signal.org>
Date: Fri, 25 Mar 2022 14:34:21 -0400
Subject: [PATCH] Disallow some unicode sequences in link previews.

---
 .../thoughtcrime/securesms/linkpreview/LinkPreviewUtil.java | 5 +++++
 .../securesms/linkpreview/LinkPreviewUtilTest_isLegal.java  | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/app/src/main/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtil.java b/app/src/main/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtil.java
index 0d92c76a21..067e90833e 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtil.java
+++ b/app/src/main/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtil.java
@@ -39,6 +39,7 @@ public final class LinkPreviewUtil {
   private static final Pattern DOMAIN_PATTERN             = Pattern.compile("^(https?://)?([^/]+).*$");
   private static final Pattern ALL_ASCII_PATTERN          = Pattern.compile("^[\\x00-\\x7F]*$");
   private static final Pattern ALL_NON_ASCII_PATTERN      = Pattern.compile("^[^\\x00-\\x7F]*$");
+  private static final Pattern ILLEGAL_CHARACTERS_PATTERN = Pattern.compile("[\u202C\u202D\u202E\u2500-\u25FF]");
   private static final Pattern OPEN_GRAPH_TAG_PATTERN     = Pattern.compile("<\\s*meta[^>]*property\\s*=\\s*\"\\s*og:([^\"]+)\"[^>]*/?\\s*>");
   private static final Pattern ARTICLE_TAG_PATTERN        = Pattern.compile("<\\s*meta[^>]*property\\s*=\\s*\"\\s*article:([^\"]+)\"[^>]*/?\\s*>");
   private static final Pattern OPEN_GRAPH_CONTENT_PATTERN = Pattern.compile("content\\s*=\\s*\"([^\"]*)\"");
@@ -80,6 +81,10 @@ public final class LinkPreviewUtil {
   }
 
   public static boolean isLegalUrl(@NonNull String url) {
+    if (ILLEGAL_CHARACTERS_PATTERN.matcher(url).find()) {
+      return false;
+    }
+
     Matcher matcher = DOMAIN_PATTERN.matcher(url);
 
     if (matcher.matches()) {
diff --git a/app/src/test/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtilTest_isLegal.java b/app/src/test/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtilTest_isLegal.java
index a42cedf541..caf8e8e98c 100644
--- a/app/src/test/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtilTest_isLegal.java
+++ b/app/src/test/java/org/thoughtcrime/securesms/linkpreview/LinkPreviewUtilTest_isLegal.java
@@ -30,6 +30,12 @@ public class LinkPreviewUtilTest_isLegal {
         { "http://foo.кц.рф",                      false },
         { "https://abcdefg.onion",                 false },
         { "https://abcdefg.i2p",                   false },
+        { "кц.рф\u202C",                           false },
+        { "кц.рф\u202D",                           false },
+        { "кц.рф\u202E",                           false },
+        { "кц.рф\u2500",                           false },
+        { "кц.рф\u25AA",                           false },
+        { "кц.рф\u25FF",                           false },
         { "",                                      false }
     });
   }