2018-05-22 10:07:27 +02:00
|
|
|
(ns status-im.utils.security)
|
|
|
|
|
|
|
|
|
|
(defprotocol Unmaskable
|
|
|
|
|
;; Retrieve the stored value.
|
|
|
|
|
(unmask [this]))
|
|
|
|
|
|
|
|
|
|
;; MaskedData ensures that the object passed to it won't be occasionally printed
|
|
|
|
|
;; via println or log functions. Useful for keeping sensitive data, such as passwords
|
|
|
|
|
;; to avoid accidentally exposing them.
|
|
|
|
|
(deftype MaskedData [data]
|
|
|
|
|
Object
|
|
|
|
|
(toString [_] "******")
|
|
|
|
|
Unmaskable
|
|
|
|
|
(unmask [this]
|
|
|
|
|
(.-data this)))
|
|
|
|
|
|
|
|
|
|
;; Returns a MaskedData instance that stores the piece of data.
|
|
|
|
|
(defn mask-data [data]
|
|
|
|
|
(MaskedData. data))
|
2018-10-20 17:29:11 +02:00
|
|
|
|
|
|
|
|
(defn safe-unmask-data [data]
|
|
|
|
|
(if (instance? MaskedData data)
|
|
|
|
|
(unmask data)
|
|
|
|
|
data))
|
2019-08-28 09:05:04 +02:00
|
|
|
|
|
|
|
|
;; Links starting with javascript:// should not be handled at all
|
|
|
|
|
(def javascript-link-regex #"javascript://.*")
|
|
|
|
|
;; Anything with rtlo character we don't handle as it might be a spoofed url
|
|
|
|
|
(def rtlo-link-regex #".*\u202e.*")
|
|
|
|
|
|
|
|
|
|
(defn safe-link?
|
|
|
|
|
"Check the link is safe to be handled, it is not a javavascript link or contains
|
|
|
|
|
an rtlo character, which might mean is a spoofed url"
|
|
|
|
|
[link]
|
|
|
|
|
(not (or (re-matches javascript-link-regex link)
|
|
|
|
|
(re-matches rtlo-link-regex link))))
|
|
|
|
|
|
|
|
|
|
(defn safe-link-text?
|
|
|
|
|
"Check the text of the message containing a link is safe to be handled
|
|
|
|
|
and does not contain an rtlo character, which might mean that the url is spoofed"
|
|
|
|
|
[text]
|
|
|
|
|
(not (re-matches rtlo-link-regex text)))
|
