refactor string cleaning
This commit is contained in:
parent
571041f8f8
commit
c83975ddfa
|
|
@ -12,7 +12,7 @@ CrystalGauntlet.endpoints["/accounts/registerGJAccount.php"] = ->(body : String)
|
|||
return "-1"
|
||||
end
|
||||
|
||||
username = Clean.clean_special(params["userName"])
|
||||
username = Clean.clean_basic(params["userName"])
|
||||
password = params["password"]
|
||||
email = params["email"]
|
||||
|
||||
|
|
|
|||
|
|
@ -96,6 +96,8 @@ CrystalGauntlet.endpoints["/downloadGJLevel22.php"] = ->(body : String): String
|
|||
27 => xor_pass,
|
||||
})
|
||||
|
||||
# todo: shove this into fmt_hash to prevent injects
|
||||
|
||||
if params.has_key?("extras")
|
||||
response += ":26:" + level_info
|
||||
end
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
|||
# order by [...]
|
||||
order = "levels.created_at desc"
|
||||
|
||||
page_offset = Clean.clean_number(params["page"]? || "0").to_i * levels_per_page
|
||||
page_offset = (params["page"]? || "0").to_i * levels_per_page
|
||||
|
||||
searchQuery = params["str"]? || ""
|
||||
|
||||
|
|
@ -46,7 +46,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
|||
if params["customSong"]? && params["customSong"]? != ""
|
||||
# todo
|
||||
else
|
||||
queryParams << "song_id = '#{Clean.clean_number(params["song"])}'"
|
||||
queryParams << "song_id = '#{params["song"].to_i}'"
|
||||
end
|
||||
end
|
||||
if params["twoPlayer"]? == "1"
|
||||
|
|
@ -102,7 +102,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
|||
when "3" # trending
|
||||
# todo
|
||||
when "5" # made by user
|
||||
queryParams << "levels.user_id = #{Clean.clean_number(searchQuery)}" # (you can't sql inject with numbers)
|
||||
queryParams << "levels.user_id = #{searchQuery.to_i}" # (you can't sql inject with numbers)
|
||||
when "6", "17" # featured (gdw is 17)
|
||||
# todo: order by feature date
|
||||
queryParams << "featured = 1"
|
||||
|
|
@ -113,7 +113,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
|||
# todo
|
||||
when "10", "19" # map packs
|
||||
order = "map_pack_links.idx asc"
|
||||
queryParams << "levels.id in (#{Clean.clean_number_list(searchQuery)})"
|
||||
queryParams << "levels.id in (#{searchQuery.split(",").map{|v| v.to_i}.join(",")})"
|
||||
when "11" # rated
|
||||
# todo: order by rate date
|
||||
queryParams << "levels.stars is not null"
|
||||
|
|
|
|||
|
|
@ -16,9 +16,9 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(body : String): String {
|
|||
|
||||
description = params["levelDesc"]
|
||||
if params["gameVersion"].to_i >= 20 # 2.0
|
||||
description = Clean.clean_special_lenient(GDBase64.decode_string description)
|
||||
description = Clean.clean_special(GDBase64.decode_string description)
|
||||
else
|
||||
description = Clean.clean_special_lenient(description)
|
||||
description = Clean.clean_special(description)
|
||||
end
|
||||
# todo: patch descriptions to prevent color bugs
|
||||
|
||||
|
|
|
|||
|
|
@ -2,16 +2,8 @@
|
|||
module CrystalGauntlet::Clean
|
||||
extend self
|
||||
|
||||
# removes commonly used chars in response formatting
|
||||
def clean_special(str)
|
||||
# these are just the ones commonly used in response formatting
|
||||
# i'm unsure if any other ones should be added, so for the time
|
||||
# being i'll just keep it as is
|
||||
str.gsub(/[:\|~#\(\)\0\n~]/, "")
|
||||
end
|
||||
|
||||
# for descriptions & similar
|
||||
def clean_special_lenient(str)
|
||||
def clean_special(str)
|
||||
str.gsub(/[\0]/, "")
|
||||
end
|
||||
|
||||
|
|
@ -20,16 +12,16 @@ module CrystalGauntlet::Clean
|
|||
str.gsub(/[^A-Za-z0-9 ]/, "")
|
||||
end
|
||||
|
||||
# only allow "basic" characters (roughly printable ascii, excluding format-breaking chars)
|
||||
def clean_basic(str)
|
||||
str.gsub(/[^A-Za-z0-9\-_ ]/, "")
|
||||
end
|
||||
|
||||
# only allows numbers
|
||||
def clean_number(str)
|
||||
str.gsub(/[^0-9]/, "")
|
||||
end
|
||||
|
||||
# only allows numbers and commas
|
||||
def clean_number_list(str)
|
||||
str.gsub(/[^0-9,]/, "")
|
||||
end
|
||||
|
||||
# for b64 inputs; thoroughly cleans them
|
||||
def clean_b64(str)
|
||||
GDBase64.encode(GDBase64.decode_string(str))
|
||||
|
|
|
|||
|
|
@ -34,12 +34,10 @@ module CrystalGauntlet::Format
|
|||
s.to_s(colon_safe ? TIME_FORMAT_USER_FRIENDLY : TIME_FORMAT_GD_FRIENDLY)
|
||||
end
|
||||
|
||||
def fmt_value(v, colon_safe=false) : String
|
||||
def fmt_value(v, colon_safe=false, tilda_safe=false, pipe_safe=false) : String
|
||||
case v
|
||||
when Bool
|
||||
v ? "1" : "0"
|
||||
when String
|
||||
v
|
||||
when Time::Span
|
||||
fmt_timespan(v)
|
||||
when Time
|
||||
|
|
@ -49,20 +47,31 @@ module CrystalGauntlet::Format
|
|||
fmt_time(v, colon_safe)
|
||||
end
|
||||
else
|
||||
v.to_s
|
||||
v = v.to_s
|
||||
v = Clean.clean_special(v)
|
||||
if !colon_safe
|
||||
v = v.gsub(":", "")
|
||||
end
|
||||
if !tilda_safe
|
||||
v = v.gsub("~", "")
|
||||
end
|
||||
if !pipe_safe
|
||||
v = v.gsub("|", "")
|
||||
end
|
||||
v
|
||||
end
|
||||
end
|
||||
|
||||
def fmt_hash(hash) : String
|
||||
hash.map_with_index{ |(i, v)| "#{i}:#{fmt_value(v)}" }.join(":")
|
||||
hash.map_with_index{ |(i, v)| "#{i}:#{fmt_value(v, false, true, false)}" }.join(":")
|
||||
end
|
||||
|
||||
def fmt_song(hash) : String
|
||||
hash.map_with_index{ |(i, v)| "#{i}~|~#{fmt_value(v, true)}" }.join("~|~")
|
||||
hash.map_with_index{ |(i, v)| "#{i}~|~#{fmt_value(v, true, false, false)}" }.join("~|~")
|
||||
end
|
||||
|
||||
def fmt_comment(hash) : String
|
||||
hash.map_with_index{ |(i, v)| "#{i}~#{fmt_value(v, true)}" }.join("~")
|
||||
hash.map_with_index{ |(i, v)| "#{i}~#{fmt_value(v, true, false, true)}" }.join("~")
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue