ユーザー名がUnicode制御文字とスペースのみで構成される場合はnullに

packages/backend/src/server/api/endpoints/i/update.ts

@@ -252,6 +252,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const user = await this.usersRepository.findOneByOrFail({ id: _user.id }) as MiLocalUser;
 			const isSecure = token == null;
 
+			const onlyControlCharsAndSpaceRegex = /^[\u0000-\u001F\u007F-\u009F\u061C\u200E\u200F\u202A-\u202E\u2066-\u2069\s]+$/;
+
 			const updates = {} as Partial<MiUser>;
 			const profileUpdates = {} as Partial<MiUserProfile>;
 
@@ -262,7 +264,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					updates.name = null;
 				} else {
 					const trimmedName = ps.name.trim();
-					updates.name = trimmedName === '' ? null : trimmedName;
+					if (trimmedName === '') {
+						updates.name = null;
+					} else if (onlyControlCharsAndSpaceRegex.test(trimmedName)) {
+						updates.name = null;
+					} else {
+						updates.name = trimmedName;
+					}
 				}
 			}
 			if (ps.description !== undefined) profileUpdates.description = ps.description;

packages/backend/test/e2e/endpoints.ts

@@ -134,6 +134,14 @@ describe('Endpoints', () => {
 			assert.strictEqual(res.body.name, 'あ い う');
 		});
 
+		test('名前にUnicode制御文字とスペースしか含まない場合はnullになる', async () => {
+			const res = await api('i/update', {
+				name: ' \u202e ',
+			}, alice);
+			assert.strictEqual(res.status, 200);
+			assert.strictEqual(res.body.name, null);
+		});
+
 		test('誕生日の設定を削除できる', async () => {
 			await api('i/update', {
 				birthday: '2000-09-07',