60 lines
1.7 KiB
Clojure
60 lines
1.7 KiB
Clojure
(ns utils.security.core
|
|
(:require [utils.security.security-html :as h]))
|
|
|
|
(defprotocol Unmaskable
|
|
;; Retrieve the stored value.
|
|
(unmask [this]))
|
|
|
|
;; MaskedData ensures that the object passed to it won't be occasionally printed
|
|
;; via println or log functions. Useful for keeping sensitive data, such as passwords
|
|
;; to avoid accidentally exposing them.
|
|
(deftype MaskedData [data]
|
|
Object
|
|
(toString [_] "******")
|
|
|
|
ICounted
|
|
(-count [^js this]
|
|
(count (.-data this)))
|
|
|
|
IEquiv
|
|
(-equiv [this other]
|
|
(if (instance? MaskedData other)
|
|
(= (unmask this)
|
|
(unmask other))
|
|
false))
|
|
|
|
Unmaskable
|
|
(unmask [^js this]
|
|
(.-data this)))
|
|
|
|
;; Returns a MaskedData instance that stores the piece of data.
|
|
(defn mask-data
|
|
[data]
|
|
(MaskedData. data))
|
|
|
|
(defn safe-unmask-data
|
|
[data]
|
|
(if (instance? MaskedData data)
|
|
(unmask data)
|
|
data))
|
|
|
|
;; Links starting with javascript:// should not be handled at all
|
|
(def javascript-link-regex #"(?i)javascript://.*")
|
|
;; Anything with rtlo character we don't handle as it might be a spoofed url
|
|
(def rtlo-link-regex #".*\u202e.*")
|
|
|
|
(defn safe-link?
|
|
"Check the link is safe to be handled, it is not a javavascript link or contains
|
|
an rtlo character, which might mean is a spoofed url"
|
|
[link]
|
|
(let [decoded-link (js/decodeURIComponent link)]
|
|
(not (or (re-matches javascript-link-regex decoded-link)
|
|
(re-matches rtlo-link-regex decoded-link)
|
|
(h/is-html? decoded-link)))))
|
|
|
|
(defn safe-link-text?
|
|
"Check the text of the message containing a link is safe to be handled
|
|
and does not contain an rtlo character, which might mean that the url is spoofed"
|
|
[text]
|
|
(not (re-matches rtlo-link-regex text)))
|