Change link verification to ignore IDN domains (#20295)

Fix #3833
author: Eugen Rochko <eugen@zeonfederated.com> 2022-11-10 06:27:45 +0100
committer: GitHub <noreply@github.com> 2022-11-10 06:27:45 +0100
commit: 9965a23b043b0ab511e083c44acda891ea441859 (patch)
tree: c1281562aca885ca3cea65e5722d0d7a13e85ec5 /app/models/account
parent: 78a6b871fe3dae308380ea88132ddadc86a1431e (diff)
1 files changed, 15 insertions, 1 deletions
diff --git a/app/models/account/field.rb b/app/models/account/field.rb
index 4e0fd9230..d74f90b2b 100644
--- a/app/models/account/field.rb
+++ b/app/models/account/field.rb
@@ -3,6 +3,7 @@
 class Account::Field < ActiveModelSerializers::Model
   MAX_CHARACTERS_LOCAL  = 255
   MAX_CHARACTERS_COMPAT = 2_047
+  ACCEPTED_SCHEMES      = %w(http https).freeze
 
   attributes :name, :value, :verified_at, :account
 
@@ -34,7 +35,20 @@ class Account::Field < ActiveModelSerializers::Model
   end
 
   def verifiable?
-    value_for_verification.present? && /\A#{FetchLinkCardService::URL_PATTERN}\z/.match?(value_for_verification)
+    return false if value_for_verification.blank?
+
+    # This is slower than checking through a regular expression, but we
+    # need to confirm that it's not an IDN domain.
+
+    parsed_url = Addressable::URI.parse(value_for_verification)
+
+    ACCEPTED_SCHEMES.include?(parsed_url.scheme) &&
+      parsed_url.user.nil? &&
+      parsed_url.password.nil? &&
+      parsed_url.host.present? &&
+      parsed_url.normalized_host == parsed_url.host
+  rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError
+    false
   end
 
   def requires_verification?
author	Eugen Rochko <eugen@zeonfederated.com>	2022-11-10 06:27:45 +0100
committer	GitHub <noreply@github.com>	2022-11-10 06:27:45 +0100
commit	9965a23b043b0ab511e083c44acda891ea441859 (patch)
tree	c1281562aca885ca3cea65e5722d0d7a13e85ec5 /app/models/account
parent	78a6b871fe3dae308380ea88132ddadc86a1431e (diff)