const params = require("../config/parameters");
router.get("/challenges", (req,res) => {
+ if (!req.query["uid"].match(/^[0-9]+$/))
+ res.json({errmsg: "Bad user ID"});
ChallengeModel.getByUser(req.query["uid"], (err,challenges) => {
res.json(err || {challenges:challenges});
});
router.delete("/challenges", access.logged, access.ajax, (req,res) => {
const cid = req.query.id;
+ if (!cid.match(/^[0-9]+$/))
+ res.json({errmsg: "Bad challenge ID"});
ChallengeModel.safeRemove(cid, req.userId, err => {
res.json(err || {}); //TODO: just "return err" because is empty if no errors
});
router.post("/games", access.logged, access.ajax, (req,res) => {
const gameInfo = req.body.gameInfo;
if (!Array.isArray(gameInfo.players) ||
- !gameInfo.players.some(p => p.id == req.userId))
+ gameInfo.players.every(p => p.id != req.userId))
{
return res.json({errmsg: "Cannot start someone else's game"});
}
const gameId = req.query["gid"];
if (!!gameId)
{
+ if (!gameId.match(/^[0-9]+$/))
+ return res.json({errmsg: "Wrong game ID"});
GameModel.getOne(gameId, (err,game) => {
access.checkRequest(res, err, game, "Game not found", () => {
res.json({game: game});
{
// Get by (non-)user ID:
const userId = req.query["uid"];
+ if (!userId.match(/^[0-9]+$/))
+ return res.json({errmsg: "Wrong user ID"});
const excluded = !!req.query["excluded"];
GameModel.getByUser(userId, excluded, (err,games) => {
if (!!err)
if (!req.xhr)
return res.json({errmsg: "Unauthorized access"});
const from = req.body["email"];
- const subject = req.body["subject"];
- const body = req.body["content"];
+ // Replace potential newline characters in subject
+ const subject = req.body["subject"].replace(/\r?\n|\r/g, " ");
+ const body = req.body["content"]; //TODO: sanitize? Why? How?
- // TODO: sanitize ?
mailer(from, params.mail.contact, subject, body, err => {
if (!!err)
return res.json({errmsg:err});
const anonymous = {name:"", email:"", id:0, notify:false};
if (!req.cookies.token)
return callback(anonymous);
+ if (!req.cookies.token.match(/^[a-z0-9]+$/))
+ return res.json({errmsg: "Bad token"});
UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
if (!!err || !user)
callback(anonymous);
// NOTE: this method is safe because only IDs and names are returned
router.get("/users", access.ajax, (req,res) => {
const ids = req.query["ids"];
+ if (!ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
+ return res.json({errmsg: "Bad IDs array"});
UserModel.getByIds(ids, (err,users) => {
if (!!err)
return res.json({errmsg: err.toString()});
});
router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
+ if (!req.query.token.match(/^[a-z0-9]+$/))
+ return res.json({errmsg: "Bad token"});
UserModel.getOne("loginToken", req.query.token, (err,user) => {
access.checkRequest(res, err, user, "Invalid token", () => {
// If token older than params.tokenExpire, do nothing
projects / vchess.git / commitdiff