Input sanitisation in userpages and user settings

This commit is contained in:
Howl 2016-11-21 16:59:17 +01:00
parent 78a1c1d038
commit 20dba6cd86
4 changed files with 78 additions and 1 deletions

View File

@ -58,6 +58,12 @@ type userSettingsData struct {
func UsersSelfSettingsPOST(md common.MethodData) common.CodeMessager { func UsersSelfSettingsPOST(md common.MethodData) common.CodeMessager {
var d userSettingsData var d userSettingsData
md.RequestData.Unmarshal(&d) md.RequestData.Unmarshal(&d)
// input sanitisation
d.UsernameAKA = common.SanitiseString(d.UsernameAKA)
d.CustomBadge.Name = common.SanitiseString(d.CustomBadge.Name)
d.FavouriteMode = intPtrIn(0, d.FavouriteMode, 3)
q := new(common.UpdateQuery). q := new(common.UpdateQuery).
Add("s.username_aka", d.UsernameAKA). Add("s.username_aka", d.UsernameAKA).
Add("s.favourite_mode", d.FavouriteMode). Add("s.favourite_mode", d.FavouriteMode).
@ -114,3 +120,16 @@ WHERE u.id = ?`, md.ID()).Scan(
} }
return r return r
} }
func intPtrIn(x int, y *int, z int) *int {
if y == nil {
return nil
}
if *y > z {
return nil
}
if *y < x {
return nil
}
return y
}

View File

@ -345,7 +345,8 @@ func UserSelfUserpagePOST(md common.MethodData) common.CodeMessager {
if d.Data == nil { if d.Data == nil {
return ErrMissingField("data") return ErrMissingField("data")
} }
_, err := md.DB.Exec("UPDATE users_stats SET userpage_content = ? WHERE id = ? LIMIT 1", *d.Data, md.ID()) cont := common.SanitiseString(*d.Data)
_, err := md.DB.Exec("UPDATE users_stats SET userpage_content = ? WHERE id = ? LIMIT 1", cont, md.ID())
if err != nil { if err != nil {
md.Err(err) md.Err(err)
} }

16
common/sanitisation.go Normal file
View File

@ -0,0 +1,16 @@
package common
import (
"unicode"
)
// SanitiseString removes all control codes from a string.
func SanitiseString(s string) string {
n := make([]rune, 0, len(s))
for _, c := range s {
if !unicode.Is(unicode.Other, c) {
n = append(n, c)
}
}
return string(n)
}

View File

@ -0,0 +1,41 @@
package common
import "testing"
const pen = "I trattori di palmizio 나는 펜이있다. 私はリンゴを持っています。" +
"啊! 苹果笔。 у меня есть ручка, Tôi có dứa. අන්නාසි පෑන"
func TestSanitiseString(t *testing.T) {
tests := []struct {
name string
arg string
want string
}{
{
"Normal",
pen,
pen,
},
{
"Arabic (rtl)",
"أناناس",
"أناناس",
},
{
"Null",
"A\x00B",
"AB",
},
}
for _, tt := range tests {
if got := SanitiseString(tt.arg); got != tt.want {
t.Errorf("%q. SanitiseString() = %v, want %v", tt.name, got, tt.want)
}
}
}
func BenchmarkSanitiseString(b *testing.B) {
for i := 0; i < b.N; i++ {
SanitiseString(pen)
}
}