Filter invalid channel IDs.

src/main/java/me/kavin/piped/Main.java

@@ -12,7 +12,6 @@ import me.kavin.piped.utils.obj.db.PlaylistVideo;
 import me.kavin.piped.utils.obj.db.PubSub;
 import me.kavin.piped.utils.obj.db.Video;
 import okhttp3.OkHttpClient;
-import org.apache.commons.lang3.StringUtils;
 import org.hibernate.Session;
 import org.hibernate.StatelessSession;
 import org.schabi.newpipe.extractor.NewPipe;
@@ -123,9 +122,8 @@ public class Main {
                             .setParameter("unauthSubbed", System.currentTimeMillis() - TimeUnit.DAYS.toMillis(Constants.SUBSCRIPTIONS_EXPIRY))
                             .getResultStream()
                             .parallel()
+                            .filter(ChannelHelpers::isValidId)
                             .forEach(id -> Multithreading.runAsyncLimitedPubSub(() -> {
-                                if (StringUtils.isBlank(id) || !id.matches("UC[A-Za-z\\d_-]{22}"))
-                                    return;
                                 try (StatelessSession sess = DatabaseSessionFactory.createStatelessSession()) {
                                     var pubsub = new PubSub(id, -1);
                                     var tr = sess.beginTransaction();

src/main/java/me/kavin/piped/server/handlers/auth/FeedHandlers.java

@@ -8,10 +8,7 @@ import jakarta.persistence.criteria.CriteriaBuilder;
 import jakarta.persistence.criteria.CriteriaQuery;
 import jakarta.persistence.criteria.JoinType;
 import me.kavin.piped.consts.Constants;
-import me.kavin.piped.utils.DatabaseHelper;
+import me.kavin.piped.utils.*;
-import me.kavin.piped.utils.DatabaseSessionFactory;
-import me.kavin.piped.utils.ExceptionHandler;
-import me.kavin.piped.utils.Multithreading;
 import me.kavin.piped.utils.obj.StreamItem;
 import me.kavin.piped.utils.obj.SubscriptionChannel;
 import me.kavin.piped.utils.obj.db.Channel;
@@ -42,6 +39,9 @@ public class FeedHandlers {
         if (StringUtils.isBlank(session) || StringUtils.isBlank(channelId))
             ExceptionHandler.throwErrorResponse(new InvalidRequestResponse("session and channelId are required parameters"));
 
+        if (!ChannelHelpers.isValidId(channelId))
+            ExceptionHandler.throwErrorResponse(new InvalidRequestResponse("channelId is not a valid YouTube channel ID"));
+
         try (Session s = DatabaseSessionFactory.createSession()) {
 
             User user = DatabaseHelper.getUserFromSessionWithSubscribed(session);
@@ -208,8 +208,7 @@ public class FeedHandlers {
     public static byte[] unauthenticatedFeedResponse(String[] channelIds) throws Exception {
 
         Set<String> filtered = Arrays.stream(channelIds)
-                .filter(StringUtils::isNotBlank)
+                .filter(ChannelHelpers::isValidId)
-                .filter(id -> id.matches("[A-Za-z\\d_-]+"))
                 .collect(Collectors.toUnmodifiableSet());
 
         if (filtered.isEmpty())
@@ -250,8 +249,7 @@ public class FeedHandlers {
     public static byte[] unauthenticatedFeedResponseRSS(String[] channelIds) throws Exception {
 
         Set<String> filtered = Arrays.stream(channelIds)
-                .filter(StringUtils::isNotBlank)
+                .filter(ChannelHelpers::isValidId)
-                .filter(id -> id.matches("[A-Za-z\\d_-]+"))
                 .collect(Collectors.toUnmodifiableSet());
 
         if (filtered.isEmpty())
@@ -469,8 +467,7 @@ public class FeedHandlers {
             throws IOException {
 
         Set<String> filtered = Arrays.stream(channelIds)
-                .filter(StringUtils::isNotBlank)
+                .filter(ChannelHelpers::isValidId)
-                .filter(id -> id.matches("[A-Za-z\\d_-]+"))
                 .collect(Collectors.toUnmodifiableSet());
 
         if (filtered.isEmpty())

src/main/java/me/kavin/piped/utils/ChannelHelpers.java

@@ -3,6 +3,7 @@ package me.kavin.piped.utils;
 import me.kavin.piped.consts.Constants;
 import me.kavin.piped.utils.obj.db.Channel;
 import okhttp3.Request;
+import org.apache.commons.lang3.StringUtils;
 import org.hibernate.StatelessSession;
 
 import java.io.IOException;
@@ -11,6 +12,10 @@ import java.net.URL;
 
 public class ChannelHelpers {
 
+    public static boolean isValidId(String id) {
+        return !StringUtils.isBlank(id) && id.matches("UC[a-zA-Z\\d_-]{22}");
+    }
+
     public static void updateChannel(StatelessSession s, Channel channel, String name, String avatarUrl, boolean uploaderVerified) {
 
         boolean changed = false;

src/main/java/me/kavin/piped/utils/DatabaseHelper.java

@@ -175,7 +175,7 @@ public class DatabaseHelper {
 
     public static Channel saveChannel(String channelId) {
 
-        if (!channelId.matches("[A-Za-z\\d_-]+"))
+        if (!ChannelHelpers.isValidId(channelId))
             return null;
 
 

src/main/java/me/kavin/piped/utils/PubSubHelper.java

@@ -13,6 +13,9 @@ import java.util.concurrent.TimeUnit;
 public class PubSubHelper {
     public static void subscribePubSub(String channelId) throws IOException {
 
+        if (!ChannelHelpers.isValidId(channelId))
+            return;
+
         PubSub pubsub = DatabaseHelper.getPubSubFromId(channelId);
 
         if (pubsub == null || System.currentTimeMillis() - pubsub.getSubbedAt() > TimeUnit.DAYS.toMillis(4)) {

src/main/java/me/kavin/piped/utils/matrix/SyncRunner.java

@@ -148,11 +148,13 @@ public class SyncRunner implements Runnable {
                                                 } catch (Exception ignored) {
                                                 }
                                             });
+                                            continue;
                                         }
                                     }
                                     case "video.piped.stream.bypass.response" -> {
                                         FederatedGeoBypassResponse bypassResponse = mapper.treeToValue(content, FederatedGeoBypassResponse.class);
                                         GeoRestrictionBypassHelper.addResponse(bypassResponse);
+                                        continue;
                                     }
                                 }
                             }