nybble
/
paco_sako_server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

improve validation of query parameters

This commit is contained in:
Jesse D. McDonald 2020-04-28 14:36:59 -05:00
parent e8a3c764e0
commit 35bbd0509a
1 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
index.js
View File

@ -176,12 +176,17 @@ function catchExceptionsJson(wrapped) {
async function getGameListHandler(req, res, next) { async function getGameListHandler(req, res, next) {
res.set('Cache-Control', 'no-store'); res.set('Cache-Control', 'no-store');
const afterTime = req.params.afterTime; const afterTime =
(typeof req.params.afterTime === 'string') ?
Number(req.params.afterTime) :
undefined;
if (afterTime !== undefined && !afterTime.match(/^\d+$/)) { if (afterTime !== undefined) {
if (!Number.isInteger(afterTime) || String(afterTime) !== req.params.afterTime) {
res.status(400).json({ message: 'malformed time' }); res.status(400).json({ message: 'malformed time' });
return; return;
} }
}
const pollTimeout = waitFor(POLLING_TIMEOUT).then(() => 'timeout').catch(()=>{}); const pollTimeout = waitFor(POLLING_TIMEOUT).then(() => 'timeout').catch(()=>{});
@ -197,7 +202,7 @@ async function getGameListHandler(req, res, next) {
LIMIT 1000 LIMIT 1000
`; `;
const results = await (await dbInit).allAsync(querySql, { const results = await (await dbInit).allAsync(querySql, {
$afterTime: checkInteger(Number(afterTime), 'afterTime', 0), $afterTime: afterTime,
$cutoff: cutoff, $cutoff: cutoff,
}); });
@ -224,14 +229,18 @@ async function getGameHandler(req, res, next) {
res.set('Cache-Control', 'no-store'); res.set('Cache-Control', 'no-store');
const gameId = req.params.gameId; const gameId = req.params.gameId;
const afterTime = req.params.afterTime;
if (!gameId.match(/^[0-9a-f]{16}$/)) { if (typeof gameId !== 'string' || !gameId.match(/^[0-9a-f]{16}$/)) {
res.status(400).json({ message: 'malformed game ID' }); res.status(400).json({ message: 'malformed game ID' });
return; return;
} }
if (afterTime !== undefined && !afterTime.match(/^\d+$/)) { const afterTime =
(typeof req.params.afterTime === 'string') ?
Number(req.params.afterTime) :
undefined;
if (afterTime !== undefined && String(afterTime) !== req.params.afterTime) {
res.status(400).json({ message: 'malformed time' }); res.status(400).json({ message: 'malformed time' });
return; return;
} }
@ -305,13 +314,14 @@ async function postGameHandler(req, res, next) {
res.set('Cache-Control', 'no-store'); res.set('Cache-Control', 'no-store');
const gameId = req.params.gameId; const gameId = req.params.gameId;
const body = validateUpdate(req.body);
if (!gameId.match(/^[0-9a-f]{16}$/)) { if (typeof gameId !== 'string' || !gameId.match(/^[0-9a-f]{16}$/)) {
res.status(400).json({ message: 'malformed game ID' }); res.status(400).json({ message: 'malformed game ID' });
return; return;
} }
const body = validateUpdate(req.body);
if (!body) { if (!body) {
res.status(400).json({ message: 'invalid request' }); res.status(400).json({ message: 'invalid request' });
return; return;
@ -331,11 +341,6 @@ async function postGameHandler(req, res, next) {
$time: time, $time: time,
}; };
if (params.$modified >= params.$time) {
res.status(400).json({ message: 'invalid modification time' });
return;
}
let setClause = ''; let setClause = '';
let whereClause = ''; let whereClause = '';
let hasBoard = false; let hasBoard = false;