From 74d6b4e81e0e005c96853f848536258dffb22adc Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 7 Mar 2022 04:36:20 -0600
Subject: [PATCH] users: don't allow names ending with file extensions.

This is so in the future we can have URLs like https://danbooru.donmai.us/users/evazion
without problems caused by names like https://danbooru.donmai.us/users/evazion.json
---
 app/logical/user_name_validator.rb | 2 ++
 test/unit/user_test.rb             | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/app/logical/user_name_validator.rb b/app/logical/user_name_validator.rb
index 99ecce9dc..5bf6ee4c3 100644
--- a/app/logical/user_name_validator.rb
+++ b/app/logical/user_name_validator.rb
@@ -24,6 +24,8 @@ class UserNameValidator < ActiveModel::EachValidator
       rec.errors.add(attr, "can't start with '#{name.first}'")
     elsif name =~ /[[:punct:]]\z/
       rec.errors.add(attr, "can't end with '#{name.last}'")
+    elsif name =~ /\.(html|json|xml|atom|rss|txt|js|css|csv|png|jpg|jpeg|gif|png|mp4|webm|zip|pdf|exe|sitemap)\z/i
+      rec.errors.add(attr, "can't end with a file extension")
     elsif name =~ /__/
       rec.errors.add(attr, "can't contain multiple underscores in a row")
     elsif forbidden_characters.present?
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index 3bcbf157c..6fe459727 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -189,6 +189,12 @@ class UserTest < ActiveSupport::TestCase
         assert_equal(["Name must contain only basic letters or numbers"], user.errors.full_messages)
       end
 
+      should "not allow names ending in file extensions" do
+        user = build(:user, name: "evazion.json")
+        user.save
+        assert_equal(["Name can't end with a file extension"], user.errors.full_messages)
+      end
+
       should "not be in the same format as a deleted user" do
         user = build(:user, name: "user_1234")
         user.save