refactor string cleaning
This commit is contained in:
parent
571041f8f8
commit
c83975ddfa
|
@ -12,7 +12,7 @@ CrystalGauntlet.endpoints["/accounts/registerGJAccount.php"] = ->(body : String)
|
||||||
return "-1"
|
return "-1"
|
||||||
end
|
end
|
||||||
|
|
||||||
username = Clean.clean_special(params["userName"])
|
username = Clean.clean_basic(params["userName"])
|
||||||
password = params["password"]
|
password = params["password"]
|
||||||
email = params["email"]
|
email = params["email"]
|
||||||
|
|
||||||
|
|
|
@ -96,6 +96,8 @@ CrystalGauntlet.endpoints["/downloadGJLevel22.php"] = ->(body : String): String
|
||||||
27 => xor_pass,
|
27 => xor_pass,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
# todo: shove this into fmt_hash to prevent injects
|
||||||
|
|
||||||
if params.has_key?("extras")
|
if params.has_key?("extras")
|
||||||
response += ":26:" + level_info
|
response += ":26:" + level_info
|
||||||
end
|
end
|
||||||
|
|
|
@ -15,7 +15,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
||||||
# order by [...]
|
# order by [...]
|
||||||
order = "levels.created_at desc"
|
order = "levels.created_at desc"
|
||||||
|
|
||||||
page_offset = Clean.clean_number(params["page"]? || "0").to_i * levels_per_page
|
page_offset = (params["page"]? || "0").to_i * levels_per_page
|
||||||
|
|
||||||
searchQuery = params["str"]? || ""
|
searchQuery = params["str"]? || ""
|
||||||
|
|
||||||
|
@ -46,7 +46,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
||||||
if params["customSong"]? && params["customSong"]? != ""
|
if params["customSong"]? && params["customSong"]? != ""
|
||||||
# todo
|
# todo
|
||||||
else
|
else
|
||||||
queryParams << "song_id = '#{Clean.clean_number(params["song"])}'"
|
queryParams << "song_id = '#{params["song"].to_i}'"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
if params["twoPlayer"]? == "1"
|
if params["twoPlayer"]? == "1"
|
||||||
|
@ -102,7 +102,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
||||||
when "3" # trending
|
when "3" # trending
|
||||||
# todo
|
# todo
|
||||||
when "5" # made by user
|
when "5" # made by user
|
||||||
queryParams << "levels.user_id = #{Clean.clean_number(searchQuery)}" # (you can't sql inject with numbers)
|
queryParams << "levels.user_id = #{searchQuery.to_i}" # (you can't sql inject with numbers)
|
||||||
when "6", "17" # featured (gdw is 17)
|
when "6", "17" # featured (gdw is 17)
|
||||||
# todo: order by feature date
|
# todo: order by feature date
|
||||||
queryParams << "featured = 1"
|
queryParams << "featured = 1"
|
||||||
|
@ -113,7 +113,7 @@ CrystalGauntlet.endpoints["/getGJLevels21.php"] = ->(body : String): String {
|
||||||
# todo
|
# todo
|
||||||
when "10", "19" # map packs
|
when "10", "19" # map packs
|
||||||
order = "map_pack_links.idx asc"
|
order = "map_pack_links.idx asc"
|
||||||
queryParams << "levels.id in (#{Clean.clean_number_list(searchQuery)})"
|
queryParams << "levels.id in (#{searchQuery.split(",").map{|v| v.to_i}.join(",")})"
|
||||||
when "11" # rated
|
when "11" # rated
|
||||||
# todo: order by rate date
|
# todo: order by rate date
|
||||||
queryParams << "levels.stars is not null"
|
queryParams << "levels.stars is not null"
|
||||||
|
|
|
@ -16,9 +16,9 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(body : String): String {
|
||||||
|
|
||||||
description = params["levelDesc"]
|
description = params["levelDesc"]
|
||||||
if params["gameVersion"].to_i >= 20 # 2.0
|
if params["gameVersion"].to_i >= 20 # 2.0
|
||||||
description = Clean.clean_special_lenient(GDBase64.decode_string description)
|
description = Clean.clean_special(GDBase64.decode_string description)
|
||||||
else
|
else
|
||||||
description = Clean.clean_special_lenient(description)
|
description = Clean.clean_special(description)
|
||||||
end
|
end
|
||||||
# todo: patch descriptions to prevent color bugs
|
# todo: patch descriptions to prevent color bugs
|
||||||
|
|
||||||
|
|
|
@ -2,16 +2,8 @@
|
||||||
module CrystalGauntlet::Clean
|
module CrystalGauntlet::Clean
|
||||||
extend self
|
extend self
|
||||||
|
|
||||||
# removes commonly used chars in response formatting
|
|
||||||
def clean_special(str)
|
|
||||||
# these are just the ones commonly used in response formatting
|
|
||||||
# i'm unsure if any other ones should be added, so for the time
|
|
||||||
# being i'll just keep it as is
|
|
||||||
str.gsub(/[:\|~#\(\)\0\n~]/, "")
|
|
||||||
end
|
|
||||||
|
|
||||||
# for descriptions & similar
|
# for descriptions & similar
|
||||||
def clean_special_lenient(str)
|
def clean_special(str)
|
||||||
str.gsub(/[\0]/, "")
|
str.gsub(/[\0]/, "")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -20,16 +12,16 @@ module CrystalGauntlet::Clean
|
||||||
str.gsub(/[^A-Za-z0-9 ]/, "")
|
str.gsub(/[^A-Za-z0-9 ]/, "")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# only allow "basic" characters (roughly printable ascii, excluding format-breaking chars)
|
||||||
|
def clean_basic(str)
|
||||||
|
str.gsub(/[^A-Za-z0-9\-_ ]/, "")
|
||||||
|
end
|
||||||
|
|
||||||
# only allows numbers
|
# only allows numbers
|
||||||
def clean_number(str)
|
def clean_number(str)
|
||||||
str.gsub(/[^0-9]/, "")
|
str.gsub(/[^0-9]/, "")
|
||||||
end
|
end
|
||||||
|
|
||||||
# only allows numbers and commas
|
|
||||||
def clean_number_list(str)
|
|
||||||
str.gsub(/[^0-9,]/, "")
|
|
||||||
end
|
|
||||||
|
|
||||||
# for b64 inputs; thoroughly cleans them
|
# for b64 inputs; thoroughly cleans them
|
||||||
def clean_b64(str)
|
def clean_b64(str)
|
||||||
GDBase64.encode(GDBase64.decode_string(str))
|
GDBase64.encode(GDBase64.decode_string(str))
|
||||||
|
|
|
@ -34,12 +34,10 @@ module CrystalGauntlet::Format
|
||||||
s.to_s(colon_safe ? TIME_FORMAT_USER_FRIENDLY : TIME_FORMAT_GD_FRIENDLY)
|
s.to_s(colon_safe ? TIME_FORMAT_USER_FRIENDLY : TIME_FORMAT_GD_FRIENDLY)
|
||||||
end
|
end
|
||||||
|
|
||||||
def fmt_value(v, colon_safe=false) : String
|
def fmt_value(v, colon_safe=false, tilda_safe=false, pipe_safe=false) : String
|
||||||
case v
|
case v
|
||||||
when Bool
|
when Bool
|
||||||
v ? "1" : "0"
|
v ? "1" : "0"
|
||||||
when String
|
|
||||||
v
|
|
||||||
when Time::Span
|
when Time::Span
|
||||||
fmt_timespan(v)
|
fmt_timespan(v)
|
||||||
when Time
|
when Time
|
||||||
|
@ -49,20 +47,31 @@ module CrystalGauntlet::Format
|
||||||
fmt_time(v, colon_safe)
|
fmt_time(v, colon_safe)
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
v.to_s
|
v = v.to_s
|
||||||
|
v = Clean.clean_special(v)
|
||||||
|
if !colon_safe
|
||||||
|
v = v.gsub(":", "")
|
||||||
|
end
|
||||||
|
if !tilda_safe
|
||||||
|
v = v.gsub("~", "")
|
||||||
|
end
|
||||||
|
if !pipe_safe
|
||||||
|
v = v.gsub("|", "")
|
||||||
|
end
|
||||||
|
v
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def fmt_hash(hash) : String
|
def fmt_hash(hash) : String
|
||||||
hash.map_with_index{ |(i, v)| "#{i}:#{fmt_value(v)}" }.join(":")
|
hash.map_with_index{ |(i, v)| "#{i}:#{fmt_value(v, false, true, false)}" }.join(":")
|
||||||
end
|
end
|
||||||
|
|
||||||
def fmt_song(hash) : String
|
def fmt_song(hash) : String
|
||||||
hash.map_with_index{ |(i, v)| "#{i}~|~#{fmt_value(v, true)}" }.join("~|~")
|
hash.map_with_index{ |(i, v)| "#{i}~|~#{fmt_value(v, true, false, false)}" }.join("~|~")
|
||||||
end
|
end
|
||||||
|
|
||||||
def fmt_comment(hash) : String
|
def fmt_comment(hash) : String
|
||||||
hash.map_with_index{ |(i, v)| "#{i}~#{fmt_value(v, true)}" }.join("~")
|
hash.map_with_index{ |(i, v)| "#{i}~#{fmt_value(v, true, false, true)}" }.join("~")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue