Mirror/SponsorBlockServer
1
0
Fork 0
mirror of https://github.com/ajayyy/SponsorBlockServer.git synced 2025-12-08 20:47:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

put in limits and escapes

Browse Source
This commit is contained in:
Michael C
2021-06-25 14:35:51 -04:00
parent 09ab1dabdf
commit f2490beea2
2 changed files with 79 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/routes/getUserID.ts
View File

@@ -3,18 +3,24 @@ import {Logger} from '../utils/logger';
import {Request, Response} from 'express'; import {Request, Response} from 'express';
export async function getUserID(req: Request, res: Response) { export async function getUserID(req: Request, res: Response) {
let username = req.query.username as string; let userName = req.query.username as string;
if (username == undefined || username.length > 64) { if (userName == undefined || userName.length > 64 || userName.length < 3) {
//invalid request //invalid request
res.sendStatus(400); res.sendStatus(400);
return; return;
} }
// escape [_ % \] to avoid ReDOS
userName = userName.replace('\\', '\\\\')
.replace('_', '\\_')
.replace('%', '\\%')
// add wildcard to variable // add wildcard to variable
username = `%${username}%` userName = `%${userName}%`
try { try {
let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames" WHERE "userName" LIKE ?`, [username]); let rows = await db.prepare('all', `SELECT "userName", "userID" FROM "userNames"
WHERE "userName" LIKE ? LIMIT 10`, [userName]);
if (rows.length === 0) { if (rows.length === 0) {
res.sendStatus(404); res.sendStatus(404);
return; return;

69
test/cases/getUserID.ts
View File

@@ -126,4 +126,73 @@ describe('getUserID', () => {
}) })
.catch(err => ("couldn't call endpoint")); .catch(err => ("couldn't call endpoint"));
}); });
it('Should be able to get with public ID', (done: Done) => {
const userID = getHash("getuserid_user_06")
fetch(getbaseURL() + '/api/userID?username='+userID)
.then(async res => {
if (res.status !== 200) {
done("non 200");
} else {
const data = await res.json();
if (data.length !== 1) {
done('Returned incorrect number of users "' + data.length + '"');
} else if (data[0].userName !== userID) {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[0].userID !== userID) {
done('Returned incorrect userID "' + data.userID + '"');
} else {
done(); // pass
}
}
})
.catch(err => ("couldn't call endpoint"));
});
it('Should be able to get with fuzzy public ID', (done: Done) => {
const userID = getHash("getuserid_user_06")
fetch(getbaseURL() + '/api/userID?username='+userID.substr(10,60))
.then(async res => {
if (res.status !== 200) {
done("non 200");
} else {
const data = await res.json();
if (data.length !== 1) {
done('Returned incorrect number of users "' + data.length + '"');
} else if (data[0].userName !== userID) {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[0].userID !== userID) {
done('Returned incorrect userID "' + data.userID + '"');
} else {
done(); // pass
}
}
})
.catch(err => ("couldn't call endpoint"));
});
it('Should be able to get repeating username', (done: Done) => {
fetch(getbaseURL() + '/api/userID?username=repeating')
.then(async res => {
if (res.status !== 200) {
done("non 200");
} else {
const data = await res.json();
if (data.length !== 2) {
done('Returned incorrect number of users "' + data.length + '"');
} else if (data[0].userName !== "repeating") {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[0].userID !== getHash("getuserid_user_04")) {
done('Returned incorrect userID "' + data.userID + '"');
} else if (data[1].userName !== "repeating") {
done('Returned incorrect username "' + data.userName + '"');
} else if (data[1].userID !== getHash("getuserid_user_05")) {
done('Returned incorrect userID "' + data.userID + '"');
} else {
done(); // pass
}
}
})
.catch(err => ("couldn't call endpoint"));
});
}); });