fix(api): Disallow creating courses with non alphanumeric (+-_) and long slug

This fixes a security issue, where a malicious lecturer or admin, or attacker who gained their access
can create a course with a slug that is injected into commands, a worker runs.

Executing just `ffmpeg` in the worker has been considered, but the worker currently relies on the shells
capability to redirect its stdout to a file.

Thanks to @oiidmnk and @lcarilla for reporting the issue!

Author: joschahenningsen

model/course.go

@@ -2,8 +2,10 @@ package model
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
+	"regexp"
 	"time"
 
 	"gorm.io/gorm"
@@ -331,3 +333,13 @@ func (c Course) IsLoggedIn() bool {
 func (c Course) IsEnrolled() bool {
 	return c.Visibility == "enrolled"
 }
+
+var courseSlugRegex = regexp.MustCompile(`^[a-zA-Z0-9\-_]{1,150}$`)
+
+// BeforeSave returns an error if the course to be inserted is invalid
+func (c *Course) BeforeSave(tx *gorm.DB) (err error) {
+	if !courseSlugRegex.MatchString(c.Slug) {
+		return errors.New("invalid course slug")
+	}
+	return nil
+}

model/course_test.go

@@ -0,0 +1,30 @@
+package model
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestBeforeSave(t *testing.T) {
+	course := &Course{}
+	cases := []struct {
+		slug    string
+		wantErr bool
+	}{
+		{"", true},
+		{strings.Repeat("a", 300), true},
+		{"test123", false},
+		{"test_123", false},
+		{"!test", true},
+		{"\" && rm -rf /", true},
+	}
+	for _, tc := range cases {
+		course.Slug = tc.slug
+		err := course.BeforeSave(nil)
+		if err == nil && tc.wantErr {
+			t.Errorf("BeforeCreate(%q) = nil, want error", tc.slug)
+		} else if err != nil && !tc.wantErr {
+			t.Errorf("BeforeCreate(%q) = %v, want nil", tc.slug, err)
+		}
+	}
+}

model/lecture_hall_test.go

@@ -0,0 +1 @@
+package model

web/template/admin/admin_tabs/create-course.gohtml

@@ -49,7 +49,7 @@
                                required
                                placeholder="eidi"
                                :class="slug === '' ? 'border-red-500 focus:border-red-500' : ''"
-                               @input="slug = slug.replace(/[^A-Za-z0-9\-_.+()~]/g, '')"/>
+                               @input="slug = slug.replace(/[^A-Za-z0-9\-_]/g, '')"/>
                     </div>
                     {{template "semester-selection"}}
                 </form>