From 8265bbfeb543d9e72990e6d47b6c3d9b84809bbb Mon Sep 17 00:00:00 2001
From: Lee Salminen <leesalminen@gmail.com>
Date: Tue, 27 Dec 2022 16:19:39 -0600
Subject: [PATCH] regex validation

---
 lnbits/extensions/nostrnip5/views_api.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lnbits/extensions/nostrnip5/views_api.py b/lnbits/extensions/nostrnip5/views_api.py
index 3d005696..23c1decf 100644
--- a/lnbits/extensions/nostrnip5/views_api.py
+++ b/lnbits/extensions/nostrnip5/views_api.py
@@ -1,5 +1,6 @@
 from http import HTTPStatus
 from typing import Optional
+import re
 
 from bech32 import bech32_decode, convertbits
 from fastapi import Query, Request, Response
@@ -158,6 +159,12 @@ async def api_address_create(
             status_code=HTTPStatus.NOT_FOUND, detail="You're sneaky, nice try."
         )
 
+    regex = re.compile(r'^[a-z0-9_.]+$')
+    if not re.fullmatch(regex, post_data.local_part.lower()):
+        raise HTTPException(
+            status_code=HTTPStatus.NOT_FOUND, detail="Only a-z, 0-9 and .-_ are allowed characters, case insensitive."
+        )
+
     exists = await get_address_by_local_part(domain_id, post_data.local_part)
 
     if exists: