From d5313db5818e8049a5c7e8370455d83a88b36c99 Mon Sep 17 00:00:00 2001
From: Marti Martz <Martii@users.noreply.github.com>
Date: Wed, 24 Nov 2021 18:22:14 -0700
Subject: [PATCH] Some more validations for improper Source Code (#1857)

* Moderators and above may still flag if further abused and of course optionally, unannounced, removal by Admin+. These are covered in the TOS already. Try a preemptive strategy instead.

Post #1847 and applies to #657

Auto-merge
---
 controllers/discussion.js | 34 +++++++++++++++++++++++++++++++++-
 controllers/issue.js      | 34 +++++++++++++++++++++++++++++++++-
 controllers/script.js     | 17 +++++++++++++++++
 3 files changed, 83 insertions(+), 2 deletions(-)

diff --git a/controllers/discussion.js b/controllers/discussion.js
index 871391da5..015ee99c5 100644
--- a/controllers/discussion.js
+++ b/controllers/discussion.js
@@ -540,6 +540,12 @@ exports.createTopic = function (aReq, aRes, aNext) {
   var content = aReq.body['comment-content'];
   var userAgent = aReq.headers['user-agent'];
 
+  var parser = 'UserScript';
+  var rHeaderContent = new RegExp(
+    '^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
+  );
+  var headerContent = null;
+
   if (!category) {
     aNext();
     return;
@@ -566,6 +572,16 @@ exports.createTopic = function (aReq, aRes, aNext) {
     return;
   }
 
+  // Simple validation check
+  headerContent = rHeaderContent.exec(content);
+  if (headerContent) {
+    statusCodePage(aReq, aRes, aNext, {
+      statusCode: 403, // Forbidden
+      statusMessage: 'Source Code not allowed in Comment.'
+    });
+    return;
+  }
+
   postTopic(authedUser, category.slug, topic, content, false, userAgent, function (aDiscussion) {
     if (!aDiscussion) {
       exports.newTopic(aReq, aRes, aNext);
@@ -591,6 +607,12 @@ exports.createComment = function (aReq, aRes, aNext) {
     var content = aReq.body['comment-content'];
     var userAgent = aReq.headers['user-agent'];
 
+    var parser = 'UserScript';
+    var rHeaderContent = new RegExp(
+      '^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
+    );
+    var headerContent = null;
+
     if (!aDiscussion) {
       aNext();
       return;
@@ -598,12 +620,22 @@ exports.createComment = function (aReq, aRes, aNext) {
 
     if (!content || !content.trim()) {
       statusCodePage(aReq, aRes, aNext, {
-        statusCode: 403,
+        statusCode: 403, // Forbidden
         statusMessage: 'You cannot post an empty comment to this discussion'
       });
       return;
     }
 
+    // Simple validation check
+    headerContent = rHeaderContent.exec(content);
+    if (headerContent) {
+      statusCodePage(aReq, aRes, aNext, {
+        statusCode: 403, // Forbidden
+        statusMessage: 'Source Code not allowed in Comment.'
+      });
+      return;
+    }
+
     postComment(authedUser, aDiscussion, content, false, userAgent, function (aDiscussion) {
       if (!aDiscussion) {
         statusCodePage(aReq, aRes, aNext, {
diff --git a/controllers/issue.js b/controllers/issue.js
index 9507d9c20..0f3468332 100644
--- a/controllers/issue.js
+++ b/controllers/issue.js
@@ -348,6 +348,12 @@ exports.open = function (aReq, aRes, aNext) {
       var userAgent = aReq.headers['user-agent'];
       var tasks = [];
 
+      var parser = 'UserScript';
+      var rHeaderContent = new RegExp(
+        '^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
+      );
+      var headerContent = null;
+
       // Session
       options.authedUser = authedUser = modelParser.parseUser(authedUser);
       options.isMod = authedUser && authedUser.isMod;
@@ -377,6 +383,16 @@ exports.open = function (aReq, aRes, aNext) {
           return;
         }
 
+        // Simple validation check
+        headerContent = rHeaderContent.exec(content);
+        if (headerContent) {
+          statusCodePage(aReq, aRes, aNext, {
+            statusCode: 403, // Forbidden
+            statusMessage: 'Source Code not allowed in Comment.'
+          });
+          return;
+        }
+
         // Issue Submission
         discussionLib.postTopic(authedUser, category.slug, topic, content, true, userAgent,
           function (aDiscussion) {
@@ -419,6 +435,12 @@ exports.comment = function (aReq, aRes, aNext) {
       var category = type + '/' + installNameBase + '/issues';
       var topic = aReq.params.topic;
 
+      var parser = 'UserScript';
+      var rHeaderContent = new RegExp(
+        '^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
+      );
+      var headerContent = null;
+
       if (aErr || !aScript) {
         aNext();
         return;
@@ -426,12 +448,22 @@ exports.comment = function (aReq, aRes, aNext) {
 
       if (!content || !content.trim()) {
         statusCodePage(aReq, aRes, aNext, {
-          statusCode: 403,
+          statusCode: 403, // Forbidden
           statusMessage: 'You cannot post an empty comment to this issue'
         });
         return;
       }
 
+      // Simple validation check
+      headerContent = rHeaderContent.exec(content);
+      if (headerContent) {
+        statusCodePage(aReq, aRes, aNext, {
+          statusCode: 403, // Forbidden
+          statusMessage: 'Source Code not allowed in Comment.'
+        });
+        return;
+      }
+
       discussionLib.findDiscussion(category, topic, function (aIssue) {
         //
         var authedUser = aReq.session.user;
diff --git a/controllers/script.js b/controllers/script.js
index 9f530226c..b21a195e3 100644
--- a/controllers/script.js
+++ b/controllers/script.js
@@ -29,6 +29,7 @@ var getFlaggedListForContent = require('./flag').getFlaggedListForContent;
 //--- Library inclusions
 // var scriptLib = require('../libs/script');
 
+var statusCodePage = require('../libs/templateHelpers').statusCodePage;
 var isSameOrigin = require('../libs/helpers').isSameOrigin;
 
 var voteLib = require('../libs/vote');
@@ -438,6 +439,12 @@ exports.edit = function (aReq, aRes, aNext) {
       var scriptGroups = null;
       var tasks = [];
 
+      var parser = 'UserScript';
+      var rHeaderContent = new RegExp(
+        '^(?:\\uFEFF)?\/\/ ==' + parser + '==([\\s\\S]*?)^\/\/ ==\/'+ parser + '==', 'm'
+      );
+      var headerContent = null;
+
       // ---
       if (aErr || !aScript) {
         aNext();
@@ -474,6 +481,16 @@ exports.edit = function (aReq, aRes, aNext) {
         // POST
         aScript.about = aReq.body.about;
 
+        // Simple validation check
+        headerContent = rHeaderContent.exec(aScript.about);
+        if (headerContent) {
+          statusCodePage(aReq, aRes, aNext, {
+            statusCode: 403, // Forbidden
+            statusMessage: 'Source Code not allowed in Script Info.'
+          });
+          return;
+        }
+
         remark().use(stripHTML).use(stripMD).process(aScript.about, function(aErr, aFile) {
           if (aErr || !aFile) {
             aScript._about = (