From 1a8f0b8f18c4c3ff9573688f14e0178296f0e7df Mon Sep 17 00:00:00 2001 From: Miodec Date: Mon, 17 Jul 2023 13:54:24 +0200 Subject: [PATCH] stricter validation --- backend/src/api/routes/ape-keys.ts | 2 +- backend/src/api/routes/leaderboards.ts | 16 +++++++++++++--- backend/src/api/routes/public.ts | 16 +++++++++++++--- backend/src/api/routes/users.ts | 18 ++++++++++++++---- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/backend/src/api/routes/ape-keys.ts b/backend/src/api/routes/ape-keys.ts index d49f43291..b540762fe 100644 --- a/backend/src/api/routes/ape-keys.ts +++ b/backend/src/api/routes/ape-keys.ts @@ -84,7 +84,7 @@ router.delete( checkIfUserCanManageApeKeys, validateRequest({ params: { - apeKeyId: joi.string().required(), + apeKeyId: joi.string().token().required(), }, }), asyncHandler(ApeKeyController.deleteApeKey) diff --git a/backend/src/api/routes/leaderboards.ts b/backend/src/api/routes/leaderboards.ts index fc891cd4f..403720d47 100644 --- a/backend/src/api/routes/leaderboards.ts +++ b/backend/src/api/routes/leaderboards.ts @@ -11,9 +11,19 @@ import { } from "../../middlewares/api-utils"; const BASE_LEADERBOARD_VALIDATION_SCHEMA = { - language: joi.string().required(), - mode: joi.string().required(), - mode2: joi.string().required(), + language: joi + .string() + .max(50) + .pattern(/^[a-zA-Z0-9_+]+$/) + .required(), + mode: joi + .string() + .valid("time", "words", "quote", "zen", "custom") + .required(), + mode2: joi + .string() + .regex(/^(\d)+|custom|zen/) + .required(), }; const LEADERBOARD_VALIDATION_SCHEMA_WITH_LIMIT = { diff --git a/backend/src/api/routes/public.ts b/backend/src/api/routes/public.ts index e215607a2..7acc826b9 100644 --- a/backend/src/api/routes/public.ts +++ b/backend/src/api/routes/public.ts @@ -5,9 +5,19 @@ import { asyncHandler, validateRequest } from "../../middlewares/api-utils"; import joi from "joi"; const GET_MODE_STATS_VALIDATION_SCHEMA = { - language: joi.string().required(), - mode: joi.string().required(), - mode2: joi.string().required(), + language: joi + .string() + .max(50) + .pattern(/^[a-zA-Z0-9_+]+$/) + .required(), + mode: joi + .string() + .valid("time", "words", "quote", "zen", "custom") + .required(), + mode2: joi + .string() + .regex(/^(\d)+|custom|zen/) + .required(), }; const router = Router(); diff --git a/backend/src/api/routes/users.ts b/backend/src/api/routes/users.ts index 0b98b6195..14154d42d 100644 --- a/backend/src/api/routes/users.ts +++ b/backend/src/api/routes/users.ts @@ -181,8 +181,15 @@ router.patch( .string() .valid("time", "words", "quote", "zen", "custom") .required(), - mode2: joi.string().required(), - language: joi.string().required(), + mode2: joi + .string() + .regex(/^(\d)+|custom|zen/) + .required(), + language: joi + .string() + .max(50) + .pattern(/^[a-zA-Z0-9_+]+$/) + .required(), rank: joi.number().required(), }, }), @@ -413,8 +420,11 @@ router.get( withApeRateLimiter(RateLimit.userGet), validateRequest({ query: { - mode: joi.string().required(), - mode2: joi.string(), + mode: joi + .string() + .valid("time", "words", "quote", "zen", "custom") + .required(), + mode2: joi.string().regex(/^(\d)+|custom|zen/), }, }), asyncHandler(UserController.getPersonalBests)