Mirror/SponsorBlockServer
1
0
Fork 0
mirror of https://github.com/ajayyy/SponsorBlockServer.git synced 2025-12-16 08:26:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

put in limits and escapes

Browse Source
This commit is contained in:
Michael C
2021-06-25 14:35:51 -04:00
parent 09ab1dabdf
commit f2490beea2
2 changed files with 79 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/routes/getUserID.ts
View File

@@ -3,18 +3,24 @@ import {Logger} from '../utils/logger';
import {Request, Response} from 'express';
export async function getUserID(req: Request, res: Response) {
let username = req.query.username as string;
let userName = req.query.username as string;
if (username == undefined || username.length > 64) {
if (userName == undefined || userName.length > 64 || userName.length < 3) {
//invalid request
res.sendStatus(400);
return;
}
// escape [_ % \] to avoid ReDOS
userName = userName.replace('\\', '\\\\')
.replace('_', '\\_')
.replace('%', '\\%')
// add wildcard to variable
username = `%${username}%`
userName = `%${userName}%`
try {
let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames" WHERE "userName" LIKE ?`, [username]);
let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames"
WHERE "userName" LIKE ? LIMIT 10`, [userName]);
if (rows.length === 0) {
res.sendStatus(404);
return;