From e61e35226db64d3b70b03c7205e1c3387e4f90e7 Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Sat, 25 Feb 2023 15:51:30 -0600
Subject: [PATCH] disallow url()

---
 files/helpers/const.py    | 13 +------------
 files/helpers/regex.py    | 13 +++++++++++++
 files/helpers/sanitize.py |  2 ++
 3 files changed, 16 insertions(+), 12 deletions(-)
 create mode 100644 files/helpers/regex.py

diff --git a/files/helpers/const.py b/files/helpers/const.py
index c070f80a6..80f4e1e2e 100644
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@@ -270,23 +270,12 @@ approved_embed_hosts = [
 	]
 
 hosts = "|".join(approved_embed_hosts).replace('.','\\.')
-
 image_check_regex = re.compile(f'!\\[\\]\\(((?!(https:\\/\\/([a-z0-9-]+\\.)*({hosts})\\/|\\/)).*?)\\)', flags=re.A)
-
 embed_fullmatch_regex = re.compile(f'https:\\/\\/([a-z0-9-]+\\.)*({hosts})\\/[\\w:~,()\\-.#&\\/=?@%;+]*', flags=re.A)
-
 video_sub_regex = re.compile(f'(<p>[^<]*)(https:\\/\\/([a-z0-9-]+\\.)*({hosts})\\/[\\w:~,()\\-.#&\\/=?@%;+]*?\\.(mp4|webm|mov))', flags=re.A)
 
-youtube_regex = re.compile('(<p>[^<]*)(https:\\/\\/youtube\\.com\\/watch\\?v\\=([a-z0-9-_]{5,20})[\\w\\-.#&/=\\?@%+]*)', flags=re.I|re.A)
-
-yt_id_regex = re.compile('[a-z0-9-_]{5,20}', flags=re.I|re.A)
-
-image_regex = re.compile("(^|\\s)(https:\\/\\/[\\w\\-.#&/=\\?@%;+]{5,250}(\\.png|\\.jpg|\\.jpeg|\\.gif|\\.webp|maxwidth=9999|fidelity=high))($|\\s)", flags=re.I|re.A)
-
 procoins_li = (0,2500,5000,10000,25000,50000,125000,250000)
 
-linefeeds_regex = re.compile("([^\\n])\\n([^\\n])", flags=re.A)
-
-html_title_regex = re.compile("<title>(.{1,200})</title>", flags=re.I)
+from files.helpers.regex import *
 
 def make_name(*args, **kwargs): return request.base_url
diff --git a/files/helpers/regex.py b/files/helpers/regex.py
new file mode 100644
index 000000000..c79580bdf
--- /dev/null
+++ b/files/helpers/regex.py
@@ -0,0 +1,13 @@
+import re
+
+youtube_regex = re.compile('(<p>[^<]*)(https:\\/\\/youtube\\.com\\/watch\\?v\\=([a-z0-9-_]{5,20})[\\w\\-.#&/=\\?@%+]*)', flags=re.I|re.A)
+
+yt_id_regex = re.compile('[a-z0-9-_]{5,20}', flags=re.I|re.A)
+
+image_regex = re.compile("(^|\\s)(https:\\/\\/[\\w\\-.#&/=\\?@%;+]{5,250}(\\.png|\\.jpg|\\.jpeg|\\.gif|\\.webp|maxwidth=9999|fidelity=high))($|\\s)", flags=re.I|re.A)
+
+linefeeds_regex = re.compile("([^\\n])\\n([^\\n])", flags=re.A)
+
+html_title_regex = re.compile(r"<title>(.{1,200})</title>", flags=re.I)
+
+css_url_regex = re.compile(r'url\(\s*[\'"]?(.*?)[\'"]?\s*\)', flags=re.I|re.A)
diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index 5e665726c..a65e498fe 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -13,6 +13,7 @@ from random import random, choice
 import gevent
 import time
 import requests
+from files.helpers.regex import *
 from files.__main__ import app
 
 TLDS = ('ac','ad','ae','aero','af','ag','ai','al','am','an','ao','aq','ar',
@@ -378,4 +379,5 @@ def validate_css(css:str) -> tuple[bool, str]:
 	'''
 	if '</style' in css.lower(): return False, "Invalid CSS"
 	if '@import' in css.lower(): return False, "@import statements are not allowed"
+	if css_url_regex.search(css): return False, "External URL imports are not allowed"
 	return True, ""