fix: validate Group IDs and SecureJoin tokens

src/tools.rs

@@ -277,6 +277,14 @@ pub(crate) fn create_id() -> String {
         .collect()
 }
 
+/// Returns true if given string is a valid ID.
+///
+/// All IDs generated with `create_id()` should be considered valid.
+pub(crate) fn validate_id(s: &str) -> bool {
+    let alphabet = base64::alphabet::URL_SAFE.as_str();
+    s.chars().all(|c| alphabet.contains(c)) && s.len() > 10 && s.len() <= 32
+}
+
 /// Function generates a Message-ID that can be used for a new outgoing message.
 /// - this function is called for all outgoing messages.
 /// - the message ID should be globally unique
@@ -966,6 +974,27 @@ DKIM Results: Passed=true, Works=true, Allow_Keychange=true";
         assert_eq!(buf.len(), 11);
     }
 
+    #[test]
+    fn test_validate_id() {
+        for _ in 0..10 {
+            assert!(validate_id(&create_id()));
+        }
+
+        assert_eq!(validate_id("aaaaaaaaaaaa"), true);
+        assert_eq!(validate_id("aa-aa_aaaXaa"), true);
+
+        // ID cannot contain whitespace.
+        assert_eq!(validate_id("aaaaa aaaaaa"), false);
+        assert_eq!(validate_id("aaaaa\naaaaaa"), false);
+
+        // ID cannot contain "/", "+".
+        assert_eq!(validate_id("aaaaa/aaaaaa"), false);
+        assert_eq!(validate_id("aaaaaaaa+aaa"), false);
+
+        // Too long ID.
+        assert_eq!(validate_id("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), false);
+    }
+
     #[test]
     fn test_create_id_invalid_chars() {
         for _ in 1..1000 {