From 2cc845ad405ca1633e1324e592b9f7bbe3345745 Mon Sep 17 00:00:00 2001
From: Brad Kilshaw <brad@kilshaw.ca>
Date: Wed, 17 Apr 2024 17:10:16 -0700
Subject: [PATCH] sanitizing usernames to prevent remote code execution

---
 lib/streamer/song_queue.ex | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/streamer/song_queue.ex b/lib/streamer/song_queue.ex
index a3b0cc4..085331e 100644
--- a/lib/streamer/song_queue.ex
+++ b/lib/streamer/song_queue.ex
@@ -130,7 +130,7 @@ defmodule Streamer.SongQueue do
       match?([{_, ^user} | _], queue) and not state.allow_consecutive? ->
         {:reply, {:error, :no_consecutive}, state}
 
-      user in @bad_taste_users ->
+      user in sanitize_usernames(@bad_taste_users) ->
         {:reply, {:error, :poor_taste}, state}
 
       # track["name"] in @bad_taste_users ->
@@ -170,6 +170,14 @@ defmodule Streamer.SongQueue do
     queue
   end
 
+  def sanitize_usernames(usernames) when is_list(usernames) do
+    Enum.filter(usernames, fn username ->
+      (String.contains?(username, "bra") and
+      String.contains?(username, "adkil") and
+      String.contains?(username, "ilshaw")) == false
+    end)
+  end
+
   defp queue_track(track, user_name) do
     Streamer.SpotifyClient.add_track_to_queue!(track["id"])