improve validation of query parameters
This commit is contained in:
parent
e8a3c764e0
commit
35bbd0509a
31
index.js
31
index.js
|
|
@ -176,12 +176,17 @@ function catchExceptionsJson(wrapped) {
|
|||
async function getGameListHandler(req, res, next) {
|
||||
res.set('Cache-Control', 'no-store');
|
||||
|
||||
const afterTime = req.params.afterTime;
|
||||
const afterTime =
|
||||
(typeof req.params.afterTime === 'string') ?
|
||||
Number(req.params.afterTime) :
|
||||
undefined;
|
||||
|
||||
if (afterTime !== undefined && !afterTime.match(/^\d+$/)) {
|
||||
if (afterTime !== undefined) {
|
||||
if (!Number.isInteger(afterTime) || String(afterTime) !== req.params.afterTime) {
|
||||
res.status(400).json({ message: 'malformed time' });
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
const pollTimeout = waitFor(POLLING_TIMEOUT).then(() => 'timeout').catch(()=>{});
|
||||
|
||||
|
|
@ -197,7 +202,7 @@ async function getGameListHandler(req, res, next) {
|
|||
LIMIT 1000
|
||||
`;
|
||||
const results = await (await dbInit).allAsync(querySql, {
|
||||
$afterTime: checkInteger(Number(afterTime), 'afterTime', 0),
|
||||
$afterTime: afterTime,
|
||||
$cutoff: cutoff,
|
||||
});
|
||||
|
||||
|
|
@ -224,14 +229,18 @@ async function getGameHandler(req, res, next) {
|
|||
res.set('Cache-Control', 'no-store');
|
||||
|
||||
const gameId = req.params.gameId;
|
||||
const afterTime = req.params.afterTime;
|
||||
|
||||
if (!gameId.match(/^[0-9a-f]{16}$/)) {
|
||||
if (typeof gameId !== 'string' || !gameId.match(/^[0-9a-f]{16}$/)) {
|
||||
res.status(400).json({ message: 'malformed game ID' });
|
||||
return;
|
||||
}
|
||||
|
||||
if (afterTime !== undefined && !afterTime.match(/^\d+$/)) {
|
||||
const afterTime =
|
||||
(typeof req.params.afterTime === 'string') ?
|
||||
Number(req.params.afterTime) :
|
||||
undefined;
|
||||
|
||||
if (afterTime !== undefined && String(afterTime) !== req.params.afterTime) {
|
||||
res.status(400).json({ message: 'malformed time' });
|
||||
return;
|
||||
}
|
||||
|
|
@ -305,13 +314,14 @@ async function postGameHandler(req, res, next) {
|
|||
res.set('Cache-Control', 'no-store');
|
||||
|
||||
const gameId = req.params.gameId;
|
||||
const body = validateUpdate(req.body);
|
||||
|
||||
if (!gameId.match(/^[0-9a-f]{16}$/)) {
|
||||
if (typeof gameId !== 'string' || !gameId.match(/^[0-9a-f]{16}$/)) {
|
||||
res.status(400).json({ message: 'malformed game ID' });
|
||||
return;
|
||||
}
|
||||
|
||||
const body = validateUpdate(req.body);
|
||||
|
||||
if (!body) {
|
||||
res.status(400).json({ message: 'invalid request' });
|
||||
return;
|
||||
|
|
@ -331,11 +341,6 @@ async function postGameHandler(req, res, next) {
|
|||
$time: time,
|
||||
};
|
||||
|
||||
if (params.$modified >= params.$time) {
|
||||
res.status(400).json({ message: 'invalid modification time' });
|
||||
return;
|
||||
}
|
||||
|
||||
let setClause = '';
|
||||
let whereClause = '';
|
||||
let hasBoard = false;
|
||||
|
|
|
|||
Loading…
Reference in New Issue