use a whitelist pattern for entityid validation

84027bed · Guillaume ROUSSE · 06a59acd · 84027bed
Commit 84027bed authored 7 years ago by Guillaume ROUSSE
--- a/lib/AccountManager/App.pm
+++ b/lib/AccountManager/App.pm
@@ -20,10 +20,15 @@ use AccountManager::Token;
 use AccountManager::Tools;

 # Format de type URL HTTP ou URN
-my $urn_or_url_regex = '(http(s?):\/\/|urn:)[^\\\$\*\"\'\`\^\|\<\>\n\s]+';
-my $url_regex        = 'http(s?):\/\/[^\\\$\*\"\'\`\^\|\<\>\n\s]+';
-my $email_regex      = '([\w\-\_\.\/\+\=\'\&]+|\".*\")\@[\w\-]+(\.[\w\-]+)+';
-my $domains_regex    = '[\w\.\-]+(,[\w\.\-]+)*';
+my $entity_id_pattern = qr{
+    ^
+    (?:
+        https?://[\w.:/-]+
+    |
+        urn:[\w.:-]+
+    )
+    $
+}x;

 my %actions = (
    home               => 'req_home',
@@ -198,7 +203,7 @@ sub req_select_email {
        );
    }

-    if ($self->{in}->{entityid} !~ m/^$urn_or_url_regex$/) {
+    if ($self->{in}->{entityid} !~ $entity_id_pattern) {
        $self->{logger}->error("Incorrect parameter format: entityid");
        $self->respond(
            template => 'index-nobanner.tt2.html',