stricter validation

2025-02-28 08:43:07 +08:00 · 2023-07-17 13:54:24 +02:00 · 2023-07-17 13:54:24 +02:00 · 1a8f0b8f18
commit 1a8f0b8f18
parent 448c1061b8
4 changed files with 41 additions and 11 deletions
--- a/backend/src/api/routes/ape-keys.ts
+++ b/backend/src/api/routes/ape-keys.ts
@ -84,7 +84,7 @@ router.delete(
  checkIfUserCanManageApeKeys,
  validateRequest({
    params: {
-      apeKeyId: joi.string().required(),
+      apeKeyId: joi.string().token().required(),
    },
  }),
  asyncHandler(ApeKeyController.deleteApeKey)
--- a/backend/src/api/routes/leaderboards.ts
+++ b/backend/src/api/routes/leaderboards.ts
@ -11,9 +11,19 @@ import {
 } from "../../middlewares/api-utils";

 const BASE_LEADERBOARD_VALIDATION_SCHEMA = {
-  language: joi.string().required(),
-  mode: joi.string().required(),
-  mode2: joi.string().required(),
+  language: joi
+    .string()
+    .max(50)
+    .pattern(/^[a-zA-Z0-9_+]+$/)
+    .required(),
+  mode: joi
+    .string()
+    .valid("time", "words", "quote", "zen", "custom")
+    .required(),
+  mode2: joi
+    .string()
+    .regex(/^(\d)+|custom|zen/)
+    .required(),
 };

 const LEADERBOARD_VALIDATION_SCHEMA_WITH_LIMIT = {
--- a/backend/src/api/routes/public.ts
+++ b/backend/src/api/routes/public.ts
@ -5,9 +5,19 @@ import { asyncHandler, validateRequest } from "../../middlewares/api-utils";
 import joi from "joi";

 const GET_MODE_STATS_VALIDATION_SCHEMA = {
-  language: joi.string().required(),
-  mode: joi.string().required(),
-  mode2: joi.string().required(),
+  language: joi
+    .string()
+    .max(50)
+    .pattern(/^[a-zA-Z0-9_+]+$/)
+    .required(),
+  mode: joi
+    .string()
+    .valid("time", "words", "quote", "zen", "custom")
+    .required(),
+  mode2: joi
+    .string()
+    .regex(/^(\d)+|custom|zen/)
+    .required(),
 };

 const router = Router();
--- a/backend/src/api/routes/users.ts
+++ b/backend/src/api/routes/users.ts
@ -181,8 +181,15 @@ router.patch(
        .string()
        .valid("time", "words", "quote", "zen", "custom")
        .required(),
-      mode2: joi.string().required(),
-      language: joi.string().required(),
+      mode2: joi
+        .string()
+        .regex(/^(\d)+|custom|zen/)
+        .required(),
+      language: joi
+        .string()
+        .max(50)
+        .pattern(/^[a-zA-Z0-9_+]+$/)
+        .required(),
      rank: joi.number().required(),
    },
  }),
@ -413,8 +420,11 @@ router.get(
  withApeRateLimiter(RateLimit.userGet),
  validateRequest({
    query: {
-      mode: joi.string().required(),
-      mode2: joi.string(),
+      mode: joi
+        .string()
+        .valid("time", "words", "quote", "zen", "custom")
+        .required(),
+      mode2: joi.string().regex(/^(\d)+|custom|zen/),
    },
  }),
  asyncHandler(UserController.getPersonalBests)