external/SponsorBlockServer
1
0
Fork 0
mirror of https://github.com/ajayyy/SponsorBlockServer.git synced 2024-11-10 01:02:30 +01:00
Code Issues Projects Releases Packages Wiki Activity

put in limits and escapes

Browse source
This commit is contained in:
Michael C 2021-06-25 14:35:51 -04:00
parent 09ab1dabdf
commit f2490beea2
No known key found for this signature in database
GPG key ID: FFB04FB3B878B7B4
2 changed files with 79 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/routes/getUserID.ts
View file

@ -3,18 +3,24 @@ import {Logger} from '../utils/logger';
import {Request, Response} from 'express';
export async function getUserID(req: Request, res: Response) {
let username = req.query.username as string;
let userName = req.query.username as string;
if (username == undefined || username.length > 64) {
if (userName == undefined || userName.length > 64 || userName.length < 3) {
//invalid request
res.sendStatus(400);
return;
}
// escape [_ % \] to avoid ReDOS
userName = userName.replace('\\', '\\\\')
.replace('_', '\\_')
.replace('%', '\\%')
// add wildcard to variable
username = `%${username}%`
userName = `%${userName}%`
try {
let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames" WHERE "userName" LIKE ?`, [username]);
let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames"
WHERE "userName" LIKE ? LIMIT 10`, [userName]);
if (rows.length === 0) {
res.sendStatus(404);
return;

69
test/cases/getUserID.ts
View file

@ -126,4 +126,73 @@ describe('getUserID', () => {
})
.catch(err => ("couldn't call endpoint"));
});
it('Should be able to get with public ID', (done: Done) => {
const userID = getHash("getuserid_user_06")
fetch(getbaseURL() + '/api/userID?username='+userID)
.then(async res => {
if (res.status !== 200) {
done("non 200");
} else {
const data = await res.json();
if (data.length !== 1) {
done('Returned incorrect number of users "' + data.length + '"');
} else if (data[0].userName !== userID) {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[0].userID !== userID) {
done('Returned incorrect userID "' + data.userID + '"');
} else {
done(); // pass
}
}
})
.catch(err => ("couldn't call endpoint"));
});
it('Should be able to get with fuzzy public ID', (done: Done) => {
const userID = getHash("getuserid_user_06")
fetch(getbaseURL() + '/api/userID?username='+userID.substr(10,60))
.then(async res => {
if (res.status !== 200) {
done("non 200");
} else {
const data = await res.json();
if (data.length !== 1) {
done('Returned incorrect number of users "' + data.length + '"');
} else if (data[0].userName !== userID) {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[0].userID !== userID) {
done('Returned incorrect userID "' + data.userID + '"');
} else {
done(); // pass
}
}
})
.catch(err => ("couldn't call endpoint"));
});
it('Should be able to get repeating username', (done: Done) => {
fetch(getbaseURL() + '/api/userID?username=repeating')
.then(async res => {
if (res.status !== 200) {
done("non 200");
} else {
const data = await res.json();
if (data.length !== 2) {
done('Returned incorrect number of users "' + data.length + '"');
} else if (data[0].userName !== "repeating") {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[0].userID !== getHash("getuserid_user_04")) {
done('Returned incorrect userID "' + data.userID + '"');
} else if (data[1].userName !== "repeating") {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[1].userID !== getHash("getuserid_user_05")) {
done('Returned incorrect userID "' + data.userID + '"');
} else {
done(); // pass
}
}
})
.catch(err => ("couldn't call endpoint"));
});
});