myriation/doipjs
1
0
Fork 0
forked from Mirrors/doipjs
Code Pull requests Packages 1 Activity

Improve query validation

Browse source
This commit is contained in:
Yarmo Mackenbach 2021-04-15 15:09:57 +02:00
parent c333229e5d
commit 2e6baef01d
No known key found for this signature in database
GPG key ID: 37367F4AF4087AD1
1 changed files with 115 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

113
src/proxy/api/v2/index.js
View file

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
const router = require('express').Router() const router = require('express').Router()
const { body, validationResult } = require('express-validator') const { query, validationResult } = require('express-validator')
const fetcher = require('../../../fetcher') const fetcher = require('../../../fetcher')
const E = require('../../../enums') const E = require('../../../enums')
require('dotenv').config() require('dotenv').config()
@ -41,19 +41,21 @@ const opts = {
// Root route // Root route
router.get('/', async (req, res) => { router.get('/', async (req, res) => {
return res.status(400).json({ error: 'Invalid endpoint' }) return res.status(400).json({ errors: 'Invalid endpoint' })
}) })
// HTTP route // HTTP route
router.get('/get/http', (req, res) => { router.get('/get/http',
if (!req.query.url) { query('url').isURL(),
return res.status(400).json({ error: 'Missing parameter(s)' }) query('format').isIn([E.ProofFormat.JSON, E.ProofFormat.TEXT]),
} (req, res) => {
if (!validUrl.isUri(req.query.url)) { const errors = validationResult(req)
return res.status(400).json({ error: 'Invalid URL' }) if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() })
} }
fetcher.http(req.query, opts) fetcher
.http(req.query, opts)
.then(result => { .then(result => {
switch (req.query.format) { switch (req.query.format) {
case E.ProofFormat.JSON: case E.ProofFormat.JSON:
@ -63,21 +65,20 @@ router.get('/get/http', (req, res) => {
case E.ProofFormat.TEXT: case E.ProofFormat.TEXT:
return res.status(200).send(result) return res.status(200).send(result)
break; break;
default:
throw new Error('Invalid proof format')
break;
} }
}) })
.catch(err => { .catch(err => {
return res.status(400).json({ error: err.message ? err.message : err }) return res.status(400).json({ errors: err.message ? err.message : err })
}) })
}) })
// DNS route // DNS route
router.get('/get/dns', (req, res) => { router.get('/get/dns',
if (!req.query.domain) { query('domain').isFQDN(),
return res.status(400).json({ error: 'Missing parameter(s)' }) (req, res) => {
const errors = validationResult(req)
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() })
} }
fetcher fetcher
@ -86,36 +87,21 @@ router.get('/get/dns', (req, res) => {
return res.status(200).send(data) return res.status(200).send(data)
}) })
.catch((err) => { .catch((err) => {
return res.status(400).json({ error: err.message ? err.message : err }) return res.status(400).json({ errors: err.message ? err.message : err })
}) })
}) })
// XMPP route // XMPP route
router.get('/get/xmpp', async (req, res) => { router.get('/get/xmpp',
query('id').isEmail(),
query('field').isIn(['fn','number','userid','url','bday','nickname','note','desc']),
async (req, res) => {
if (!opts.claims.xmpp.service || !opts.claims.xmpp.username || !opts.claims.xmpp.password) { if (!opts.claims.xmpp.service || !opts.claims.xmpp.username || !opts.claims.xmpp.password) {
return res.status(501).json({ error: 'XMPP not enabled on server' }) return res.status(501).json({ errors: 'XMPP not enabled on server' })
} }
const errors = validationResult(req)
if (!req.query.id || !req.query.field) { if (!errors.isEmpty()) {
return res.status(400).json({ error: 'Missing parameter(s)' }) return res.status(400).json({ errors: errors.array() })
}
if (!(/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,})+$/.test(req.query.id))) {
return res.status(400).json({ error: 'Invalid XMPP ID' })
}
const allowedField = [
'FN',
'NUMBER',
'USERID',
'URL',
'BDAY',
'NICKNAME',
'NOTE',
'DESC',
]
if (!allowedField.includes(req.query.field)) {
return res.status(400).json({ error: 'Invalid XMPP vCard field' })
} }
fetcher fetcher
@ -124,18 +110,20 @@ router.get('/get/xmpp', async (req, res) => {
return res.status(200).send(data) return res.status(200).send(data)
}) })
.catch((err) => { .catch((err) => {
return res.status(400).json({ error: err.message ? err.message : err }) return res.status(400).json({ errors: err.message ? err.message : err })
}) })
}) })
// Twitter route // Twitter route
router.get('/get/twitter', async (req, res) => { router.get('/get/twitter',
query('tweetId').isInt(),
async (req, res) => {
if (!opts.claims.twitter.bearerToken) { if (!opts.claims.twitter.bearerToken) {
return res.status(501).json({ error: 'Twitter not enabled on server' }) return res.status(501).json({ errors: 'Twitter not enabled on server' })
} }
const errors = validationResult(req)
if (!req.query.tweetId) { if (!errors.isEmpty()) {
return res.status(400).json({ error: 'Missing parameter(s)' }) return res.status(400).json({ errors: errors.array() })
} }
fetcher fetcher
@ -144,18 +132,21 @@ router.get('/get/twitter', async (req, res) => {
return res.status(200).send(data) return res.status(200).send(data)
}) })
.catch((err) => { .catch((err) => {
return res.status(400).json({ error: err.message ? err.message : err }) return res.status(400).json({ errors: err.message ? err.message : err })
}) })
}) })
// Matrix route // Matrix route
router.get('/get/matrix/:matrixroomid/:matrixeventid', async (req, res) => { router.get('/get/matrix',
query('roomId').isString(),
query('eventId').isString(),
async (req, res) => {
if (!opts.claims.matrix.instance || !opts.claims.matrix.accessToken) { if (!opts.claims.matrix.instance || !opts.claims.matrix.accessToken) {
return res.status(501).json({ error: 'Matrix not enabled on server' }) return res.status(501).json({ errors: 'Matrix not enabled on server' })
} }
const errors = validationResult(req)
if (!req.query.id || !req.query.field) { if (!errors.isEmpty()) {
return res.status(400).json({ error: 'Missing parameter(s)' }) return res.status(400).json({ errors: errors.array() })
} }
fetcher fetcher
@ -164,18 +155,20 @@ router.get('/get/matrix/:matrixroomid/:matrixeventid', async (req, res) => {
return res.status(200).send(data) return res.status(200).send(data)
}) })
.catch((err) => { .catch((err) => {
return res.status(400).json({ error: err.message ? err.message : err }) return res.status(400).json({ errors: err.message ? err.message : err })
}) })
}) })
// IRC route // IRC route
router.get('/get/irc/:ircserver/:ircnick', async (req, res) => { router.get('/get/irc',
query('nick').isString(),
async (req, res) => {
if (!opts.claims.irc.nick) { if (!opts.claims.irc.nick) {
return res.status(501).json({ error: 'IRC not enabled on server' }) return res.status(501).json({ errors: 'IRC not enabled on server' })
} }
const errors = validationResult(req)
if (!req.query.nick) { if (!errors.isEmpty()) {
return res.status(400).json({ error: 'Missing parameter(s)' }) return res.status(400).json({ errors: errors.array() })
} }
fetcher fetcher
@ -184,7 +177,7 @@ router.get('/get/irc/:ircserver/:ircnick', async (req, res) => {
return res.status(200).send(data) return res.status(200).send(data)
}) })
.catch((err) => { .catch((err) => {
return res.status(400).json({ error: err.message ? err.message : err }) return res.status(400).json({ errors: err.message ? err.message : err })
}) })
}) })