[keyserver] Handle offensive words in invite links

Summary: Check if an invite link contains abusive words and return an error if that's the case. https://linear.app/comm/issue/ENG-4181/handle-offensive-abusive-words https://www.npmjs.com/package/bad-words Depends on D8494 Test Plan: Tried to create a link consisting of just an offensive word and an error was returned. Tried to create a link with a string consisting of an offensive word with some prefix - a link was created correctly. This isn't ideal, but handing it correctly might be challenging: e.g. `invite/class` sounds like a proper link, but simply checking if it contains an offensive substring would forbid it. Reviewers: kamil, inka, ashoat Reviewed By: ashoat Differential Revision: https://phab.comm.dev/D8527
CommE2E · Jul 28, 2023 · 9370f91 · 9370f91
1 parent 9143e12
commit 9370f91
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/keyserver/package.json b/keyserver/package.json
@@ -46,6 +46,7 @@
     "@parse/node-apn": "^3.2.0",
     "@vingle/bmp-js": "^0.2.5",
     "JSONStream": "^1.3.5",
+    "bad-words": "^3.0.4",
     "common-tags": "^1.7.2",
     "cookie-parser": "^1.4.3",
     "dateformat": "^3.0.3",

diff --git a/keyserver/src/creators/invite-link-creator.js b/keyserver/src/creators/invite-link-creator.js
@@ -1,5 +1,7 @@
 // @flow
 
+import Filter from 'bad-words';
+
 import type {
   CreateOrUpdatePublicLinkRequest,
   InviteLink,
@@ -19,6 +21,7 @@ import { checkThreadPermission } from '../fetchers/thread-permission-fetchers.js
 import { Viewer } from '../session/viewer.js';
 
 const secretRegex = /^[a-zA-Z0-9]+$/;
+const badWordsFilter = new Filter();
 
 async function createOrUpdatePublicLink(
   viewer: Viewer,
@@ -27,6 +30,9 @@ async function createOrUpdatePublicLink(
   if (!secretRegex.test(request.name)) {
     throw new ServerError('invalid_characters');
   }
+  if (badWordsFilter.isProfane(request.name)) {
+    throw new ServerError('offensive_words');
+  }
 
   const permissionPromise = checkThreadPermission(
     viewer,

diff --git a/yarn.lock b/yarn.lock
@@ -7617,6 +7617,18 @@ babel-preset-jest@^26.6.2:
     babel-plugin-jest-hoist "^26.6.2"
     babel-preset-current-node-syntax "^1.0.0"
 
+bad-words@^3.0.4:
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/bad-words/-/bad-words-3.0.4.tgz#044c83935c4c363a905d47b5e0179f7241fecaec"
+  integrity sha512-v/Q9uRPH4+yzDVLL4vR1+S9KoFgOEUl5s4axd6NIAq8SV2mradgi4E8lma/Y0cw1ltVdvyegCQQKffCPRCp8fg==
+  dependencies:
+    badwords-list "^1.0.0"
+
+badwords-list@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/badwords-list/-/badwords-list-1.0.0.tgz#5e9856dbf13482a295c3b0b304afb9d4cfc5c579"
+  integrity sha512-oWhaSG67e+HQj3OGHQt2ucP+vAPm1wTbdp2aDHeuh4xlGXBdWwzZ//pfu6swf5gZ8iX0b7JgmSo8BhgybbqszA==
+
 balanced-match@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"