From 9490f1796cb31a94bff55c2dbfefd4292b5430f5 Mon Sep 17 00:00:00 2001
From: Aevann <randomname42029@gmail.com>
Date: Fri, 30 Dec 2022 18:28:24 +0200
Subject: [PATCH] check badge names

---
 files/helpers/regex.py   | 2 ++
 files/routes/comments.py | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/files/helpers/regex.py b/files/helpers/regex.py
index 8c73f689d..02bd280b4 100644
--- a/files/helpers/regex.py
+++ b/files/helpers/regex.py
@@ -21,6 +21,8 @@ tags_regex = re.compile("[a-z0-9: ]{1,200}", flags=re.A)
 hat_regex = re.compile("[a-zA-Z0-9\-() ,_]{1,50}", flags=re.A)
 description_regex = re.compile("[^<>&\n\t]{1,300}", flags=re.A)
 
+badge_name_regex = re.compile("[A-Za-z0-9 ]+", flags=re.A)
+
 
 valid_sub_regex = re.compile("^[a-zA-Z0-9_\-]{3,25}$", flags=re.A)
 
diff --git a/files/routes/comments.py b/files/routes/comments.py
index 1e730b5dc..d010a467c 100644
--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@@ -177,6 +177,12 @@ def comment(v:User):
 							badge_def = loads(body)
 							name = badge_def["name"]
 
+							if len(name) > 50:
+								abort(400, "Badge name is too long!")
+
+							if not badge_name_regex.fullmatch(name):
+								abort(400, "Invalid badge name!")
+
 							existing = g.db.query(BadgeDef).filter_by(name=name).one_or_none()
 							if existing: abort(409, "A badge with this name already exists!")