cap user inputs

2023-01-05 22:39:24 +03:00 · 2023-01-05 22:39:24 +03:00 · ae3b5a18d8
parent 64dfe93464
commit ae3b5a18d8
10 changed files with 23 additions and 18 deletions
--- a/db/migrations/15_messages.sql
+++ b/db/migrations/15_messages.sql
@ -5,8 +5,8 @@ CREATE TABLE messages (
  from_account_id  INTEGER  NOT NULL,
  to_account_id    INTEGER  NOT NULL,

-  subject  TEXT  NOT NULL,
-  body     TEXT  NOT NULL,
+  subject  VARCHAR(35)   NOT NULL,
+  body     VARCHAR(200)  NOT NULL,

  created_at  TEXT  NOT NULL  DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),
  read_at     TEXT
--- a/db/migrations/1_levels.sql
+++ b/db/migrations/1_levels.sql
@ -4,9 +4,9 @@ CREATE TABLE levels (
  created_at   TEXT    NOT NULL  DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),
  modified_at  TEXT    NOT NULL  DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),

-  name         TEXT     NOT NULL,
-  user_id      INTEGER  NOT NULL  references users(id),
-  description  TEXT     NOT NULL  DEFAULT "",
+  name         VARCHAR(20)   NOT NULL,
+  user_id      INTEGER       NOT NULL  references users(id),
+  description  VARCHAR(140)  NOT NULL  DEFAULT "",
  original     INTEGER,

  game_version    INTEGER  NOT NULL,
--- a/db/migrations/3_accounts.sql
+++ b/db/migrations/3_accounts.sql
@ -2,10 +2,10 @@
 CREATE TABLE accounts (
  id  SERIAL  PRIMARY KEY,

-  username  TEXT  NOT NULL  COLLATE NOCASE  UNIQUE,
-  password  TEXT  NOT NULL, -- bcrypt hashed
-  gjp2      TEXT  NOT NULL,
-  email     TEXT  NOT NULL,
+  username  VARCHAR(16)   NOT NULL  COLLATE NOCASE  UNIQUE,
+  password  TEXT          NOT NULL, -- bcrypt hashed
+  gjp2      TEXT          NOT NULL,
+  email     VARCHAR(254)  NOT NULL,

  -- todo: swap to proper rank system
  is_admin  INTEGER  NOT NULL  DEFAULT 0,
--- a/db/migrations/8_account_comments.sql
+++ b/db/migrations/8_account_comments.sql
@ -2,8 +2,8 @@
 CREATE TABLE account_comments (
  id  SERIAL  PRIMARY KEY,

-  account_id  INTEGER  NOT NULL  references users(id),
-  comment     TEXT     NOT NULL,
+  account_id  INTEGER       NOT NULL  references users(id),
+  comment     VARCHAR(140)  NOT NULL,

  created_at  TEXT  NOT NULL  DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),
  likes  INTEGER  NOT NULL  DEFAULT 0
--- a/src/endpoints/accounts/registerAccount.cr
+++ b/src/endpoints/accounts/registerAccount.cr
@ -26,6 +26,12 @@ CrystalGauntlet.endpoints["/accounts/registerGJAccount.php"] = ->(context : HTTP
  if username.size < 3
    return "-9"
  end
+  if username.size > 16
+    return "-4"
+  end
+  if email.size > 254
+    return "-6"
+  end

  # caps checks aren't required because `username` is already COLLATE NOCASE in the db
  username_exists = DATABASE.scalar "select count(*) from accounts where username = ?", username
--- a/src/endpoints/accounts/updateAccountSettings.cr
+++ b/src/endpoints/accounts/updateAccountSettings.cr
@ -11,6 +11,7 @@ CrystalGauntlet.endpoints["/updateGJAccSettings20.php"] = ->(context : HTTP::Ser
    return "-1"
  end

+  # todo: figure out max lengths and cap
  DATABASE.exec("update accounts set messages_enabled=?, friend_requests_enabled=?, comments_enabled=?, youtube_url=?, twitter_url=?, twitch_url=? where id=?", params["mS"].to_i32, params["frS"].to_i32, params["cS"].to_i32, params["yt"], params["twitter"], params["twitch"], account_id)

  "1"
--- a/src/endpoints/levels/addLevelComment.cr
+++ b/src/endpoints/levels/addLevelComment.cr
@ -20,8 +20,7 @@ CrystalGauntlet.endpoints["/uploadGJComment21.php"] = ->(context : HTTP::Server:
  end

  if comment && !comment.blank?
-    # todo: cap comment size
-    comment_value = Base64.decode_string comment # usual b64, surprisingly
+    comment_value = Base64.decode_string(comment)[..100-1]
    next_id = IDs.get_next_id("comments")
    DATABASE.exec("insert into comments (id, level_id, user_id, comment, percent) values (?, ?, ?, ?, ?)", next_id, level_id, user_id, comment_value, percent)
    return "1"
--- a/src/endpoints/levels/uploadLevel.cr
+++ b/src/endpoints/levels/uploadLevel.cr
@ -124,7 +124,7 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
      return "-1"
    end

-    DATABASE.exec("update levels set description = ?, password = ?, requested_stars = ?, version = ?, extra_data = ?, level_info = ?, editor_time = ?, editor_time_copies = ?, song_id = ?, length = ?, objects = ?, coins = ?, has_ldm = ?, two_player = ? where id = ?", description, params["password"] == "0" ? nil : params["password"].to_i, params["requestedStars"].to_i, params["levelVersion"].to_i, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i, params["wt2"].to_i, song_id.to_i, params["levelLength"].to_i, objects, coins, params["ldm"].to_i, two_player, params["levelID"].to_i)
+    DATABASE.exec("update levels set description = ?, password = ?, requested_stars = ?, version = ?, extra_data = ?, level_info = ?, editor_time = ?, editor_time_copies = ?, song_id = ?, length = ?, objects = ?, coins = ?, has_ldm = ?, two_player = ? where id = ?", description[..140-1], params["password"] == "0" ? nil : params["password"].to_i, params["requestedStars"].to_i, params["levelVersion"].to_i, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i, params["wt2"].to_i, song_id.to_i, params["levelLength"].to_i, objects, coins, params["ldm"].to_i, two_player, params["levelID"].to_i)

    File.write(DATA_FOLDER / "levels" / "#{params["levelID"]}.lvl", Base64.decode(params["levelString"]))

@ -133,7 +133,7 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
    # create new level
    next_id = IDs.get_next_id("levels")

-    DATABASE.exec("insert into levels (id, name, user_id, description, original, game_version, binary_version, password, requested_stars, unlisted, version, extra_data, level_info, editor_time, editor_time_copies, song_id, length, objects, coins, has_ldm, two_player) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", next_id, Clean.clean_special(params["levelName"]), user_id, description, params["original"].to_i32, params["gameVersion"].to_i32, params["binaryVersion"].to_i32, params["password"] == "0" ? nil : params["password"].to_i32, params["requestedStars"].to_i32, params["unlisted"].to_i32, params["levelVersion"].to_i32, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i32, params["wt2"].to_i32, song_id.to_i32, params["levelLength"].to_i32, objects, coins, params["ldm"].to_i32, two_player)
+    DATABASE.exec("insert into levels (id, name, user_id, description, original, game_version, binary_version, password, requested_stars, unlisted, version, extra_data, level_info, editor_time, editor_time_copies, song_id, length, objects, coins, has_ldm, two_player) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", next_id, Clean.clean_special(params["levelName"])[..20-1], user_id, description[..140-1], params["original"].to_i32, params["gameVersion"].to_i32, params["binaryVersion"].to_i32, params["password"] == "0" ? nil : params["password"].to_i32, params["requestedStars"].to_i32, params["unlisted"].to_i32, params["levelVersion"].to_i32, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i32, params["wt2"].to_i32, song_id.to_i32, params["levelLength"].to_i32, objects, coins, params["ldm"].to_i32, two_player)

    File.write(DATA_FOLDER / "levels" / "#{next_id.to_s}.lvl", Base64.decode(params["levelString"]))

--- a/src/endpoints/messages/sendMessage.cr
+++ b/src/endpoints/messages/sendMessage.cr
@ -17,7 +17,7 @@ CrystalGauntlet.endpoints["/uploadGJMessage20.php"] = ->(context : HTTP::Server:
  end

  next_message_id = IDs.get_next_id("messages")
-  DATABASE.exec("insert into messages (id, from_account_id, to_account_id, subject, body) values (?, ?, ?, ?, ?)", next_message_id, account_id, params["toAccountID"].to_i, Base64.decode_string(params["subject"]), String.new(XorCrypt.encrypt_string(Base64.decode_string(params["body"]), XorCrypt::MESSAGE_XOR_KEY)))
+  DATABASE.exec("insert into messages (id, from_account_id, to_account_id, subject, body) values (?, ?, ?, ?, ?)", next_message_id, account_id, params["toAccountID"].to_i, Base64.decode_string(params["subject"])[..35-1], String.new(XorCrypt.encrypt_string(Base64.decode_string(params["body"])[..200-1], XorCrypt::MESSAGE_XOR_KEY)))

  return "1"
 }
--- a/src/endpoints/users/addProfileComment.cr
+++ b/src/endpoints/users/addProfileComment.cr
@ -14,8 +14,7 @@ CrystalGauntlet.endpoints["/uploadGJAccComment20.php"] = ->(context : HTTP::Serv
  comment = params["comment"]?

  if comment && !comment.blank?
-    # todo: cap comment size
-    comment_value = Base64.decode_string comment # usual b64, surprisingly
+    comment_value = Base64.decode_string(comment)[0..140-1]
    next_id = IDs.get_next_id("account_comments")
    DATABASE.exec("insert into account_comments (id, account_id, comment) values (?, ?, ?)", next_id, account_id, comment_value)
    return "1"