Add protection for mention spam #524
Conversation
src/protections/MentionSpam.ts
Outdated
| import { NumberProtectionSetting } from "./ProtectionSettings"; | ||
|
|
||
| export const DEFAULT_MAX_MENTIONS = 10; | ||
| const USER_ID_REGEX = /@[^:]*:.+/; |
There was a problem hiding this comment.
can we just limit this to number of @ symbols? (plus HTML encoded varient for htmlBody)
There was a problem hiding this comment.
I think there are concrete chances of that reacting on somebody posting a snippet of code with some delimiter:
some = value
;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
next = sectionThere was a problem hiding this comment.
"don't do that in my rooms" :p
| if (typeof body === "string" && body.split('@').length - 1 > max) { | ||
| return true; | ||
| } | ||
| if (typeof htmlBody === "string" && htmlBody.split('%40').length - 1 > max) { |
There was a problem hiding this comment.
@Half-Shot Just a heads up, I know this isn't supposed to be perfect, but I don't think all clients urlencode mxids properly in the anchor hrefs
There was a problem hiding this comment.
(famously element didnt in the past. Not sure if this has been fixed. I just remember other client devs implementing workarounds for this case)
There was a problem hiding this comment.
why even have standards 🔥
thanks, I'll address this one when I'm back if someone doesn't get to it first.
…tection. From matrix-org/mjolnir#524. Co-authored-by: Half-Shot <will@half-shot.uk>
…tection. From matrix-org/mjolnir#524. Co-authored-by: Half-Shot <will@half-shot.uk>
…tection. From matrix-org/mjolnir#524. Co-authored-by: Half-Shot <will@half-shot.uk>
Fixes #309 #211
This protection checks whether a message contains a large number of mentions and redacts the message. It currently checks the mentions array, then the body and finally the formatted body. I've chosen 10 as a sensible max number of mentions before the message may be considered spam, although this is configurable via a setting.