From 855c338372f448c5d88b28b77aaabd6f0e558406 Mon Sep 17 00:00:00 2001
From: Denys Smirnov <dennwc@pm.me>
Date: Thu, 14 Nov 2024 20:14:24 +0200
Subject: [PATCH] Validate outbound address and SIP user. (#224)

---
 pkg/sip/client.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/sip/client.go b/pkg/sip/client.go
index 10a44d9..9588845 100644
--- a/pkg/sip/client.go
+++ b/pkg/sip/client.go
@@ -16,9 +16,11 @@ package sip
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
 	"net/netip"
+	"strings"
 	"sync"
 	"time"
 
@@ -138,6 +140,18 @@ func (c *Client) createSIPParticipant(ctx context.Context, req *rpc.InternalCrea
 	} else if req.RoomName == "" {
 		return nil, fmt.Errorf("room name must be set")
 	}
+	if strings.Contains(req.CallTo, "@") {
+		return nil, errors.New("call_to should be a phone number or SIP user, not a full SIP URI")
+	}
+	if strings.HasPrefix(req.Address, "sip:") || strings.HasPrefix(req.Address, "sips:") {
+		return nil, errors.New("address must be a hostname without 'sip:' prefix")
+	}
+	if strings.Contains(req.Address, "transport=") {
+		return nil, errors.New("address must not contain parameters; use transport field")
+	}
+	if strings.ContainsAny(req.Address, ";=") {
+		return nil, errors.New("address must not contain parameters")
+	}
 	log := c.log
 	if req.ProjectId != "" {
 		log = log.WithValues("projectID", req.ProjectId)