diff --git a/src/routes/getUserID.ts b/src/routes/getUserID.ts index 5e96491..480280e 100644 --- a/src/routes/getUserID.ts +++ b/src/routes/getUserID.ts @@ -3,18 +3,24 @@ import {Logger} from '../utils/logger'; import {Request, Response} from 'express'; export async function getUserID(req: Request, res: Response) { - let username = req.query.username as string; + let userName = req.query.username as string; - if (username == undefined || username.length > 64) { + if (userName == undefined || userName.length > 64 || userName.length < 3) { //invalid request res.sendStatus(400); return; } + // escape [_ % \] to avoid ReDOS + userName = userName.replace('\\', '\\\\') + .replace('_', '\\_') + .replace('%', '\\%') + // add wildcard to variable - username = `%${username}%` + userName = `%${userName}%` try { - let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames" WHERE "userName" LIKE ?`, [username]); + let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames" + WHERE "userName" LIKE ? LIMIT 10`, [userName]); if (rows.length === 0) { res.sendStatus(404); return; diff --git a/test/cases/getUserID.ts b/test/cases/getUserID.ts index 24aabb3..f51f353 100644 --- a/test/cases/getUserID.ts +++ b/test/cases/getUserID.ts @@ -126,4 +126,73 @@ describe('getUserID', () => { }) .catch(err => ("couldn't call endpoint")); }); + + it('Should be able to get with public ID', (done: Done) => { + const userID = getHash("getuserid_user_06") + fetch(getbaseURL() + '/api/userID?username='+userID) + .then(async res => { + if (res.status !== 200) { + done("non 200"); + } else { + const data = await res.json(); + if (data.length !== 1) { + done('Returned incorrect number of users "' + data.length + '"'); + } else if (data[0].userName !== userID) { + done('Returned incorrect username "' + data.userName + '"'); + } else if (data[0].userID !== userID) { + done('Returned incorrect userID "' + data.userID + '"'); + } else { + done(); // pass + } + } + }) + .catch(err => ("couldn't call endpoint")); + }); + + it('Should be able to get with fuzzy public ID', (done: Done) => { + const userID = getHash("getuserid_user_06") + fetch(getbaseURL() + '/api/userID?username='+userID.substr(10,60)) + .then(async res => { + if (res.status !== 200) { + done("non 200"); + } else { + const data = await res.json(); + if (data.length !== 1) { + done('Returned incorrect number of users "' + data.length + '"'); + } else if (data[0].userName !== userID) { + done('Returned incorrect username "' + data.userName + '"'); + } else if (data[0].userID !== userID) { + done('Returned incorrect userID "' + data.userID + '"'); + } else { + done(); // pass + } + } + }) + .catch(err => ("couldn't call endpoint")); + }); + + it('Should be able to get repeating username', (done: Done) => { + fetch(getbaseURL() + '/api/userID?username=repeating') + .then(async res => { + if (res.status !== 200) { + done("non 200"); + } else { + const data = await res.json(); + if (data.length !== 2) { + done('Returned incorrect number of users "' + data.length + '"'); + } else if (data[0].userName !== "repeating") { + done('Returned incorrect username "' + data.userName + '"'); + } else if (data[0].userID !== getHash("getuserid_user_04")) { + done('Returned incorrect userID "' + data.userID + '"'); + } else if (data[1].userName !== "repeating") { + done('Returned incorrect username "' + data.userName + '"'); + } else if (data[1].userID !== getHash("getuserid_user_05")) { + done('Returned incorrect userID "' + data.userID + '"'); + } else { + done(); // pass + } + } + }) + .catch(err => ("couldn't call endpoint")); + }); });