mirror/pasty
1
0
Fork 0
mirror of https://github.com/lus/pasty.git synced 2023-08-10 21:13:09 +03:00
Code Issues Projects Releases Wiki Activity

restrict paste metadata dimensions

Browse Source
This commit is contained in:
Lukas Schulte Pelkum 2023-06-17 20:36:15 +02:00
parent 9a794a82d0
commit e2c9454430
No known key found for this signature in database
GPG Key ID: AB3985CECFAFC962
4 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
internal/maps/map_utils.go Normal file
View File

@ -0,0 +1,24 @@
package maps
func ExceedsDimensions(src map[string]any, width, depth int) bool {
if width < 0 || depth < 1 || len(src) > width {
return true
}
for _, value := range src {
childMap, ok := value.(map[string]any)
if !ok {
continue
}
if depth == 1 {
return true
}
if ExceedsDimensions(childMap, width, depth-1) {
return true
}
}
return false
}

6
internal/static/static.go Normal file
View File

@ -0,0 +1,6 @@
package static
var (
MaxMetadataWidth = 10
MaxMetadataDepth = 5
)

7
internal/web/v2_end_create_paste.go
View File

@ -2,8 +2,11 @@ package web
import ( import (
"encoding/json" "encoding/json"
"fmt"
"github.com/lus/pasty/internal/maps"
"github.com/lus/pasty/internal/pastes" "github.com/lus/pasty/internal/pastes"
"github.com/lus/pasty/internal/randx" "github.com/lus/pasty/internal/randx"
"github.com/lus/pasty/internal/static"
"io" "io"
"net/http" "net/http"
"time" "time"
@ -34,6 +37,10 @@ func (server *Server) v2EndpointCreatePaste(writer http.ResponseWriter, request
writeString(writer, http.StatusBadRequest, "too large paste content") writeString(writer, http.StatusBadRequest, "too large paste content")
return return
} }
if payload.Metadata != nil && maps.ExceedsDimensions(payload.Metadata, static.MaxMetadataWidth, static.MaxMetadataDepth) {
writeString(writer, http.StatusBadRequest, fmt.Sprintf("metadata exceeds maximum dimensions (max. width: %d; max. depth: %d)", static.MaxMetadataWidth, static.MaxMetadataDepth))
return
}
id, err := pastes.GenerateID(request.Context(), server.Storage.Pastes(), server.PasteIDCharset, server.PasteIDLength) id, err := pastes.GenerateID(request.Context(), server.Storage.Pastes(), server.PasteIDCharset, server.PasteIDLength)
if err != nil { if err != nil {

7
internal/web/v2_end_modify_paste.go
View File

@ -2,7 +2,10 @@ package web
import ( import (
"encoding/json" "encoding/json"
"fmt"
"github.com/lus/pasty/internal/maps"
"github.com/lus/pasty/internal/pastes" "github.com/lus/pasty/internal/pastes"
"github.com/lus/pasty/internal/static"
"io" "io"
"net/http" "net/http"
) )
@ -38,6 +41,10 @@ func (server *Server) v2EndpointModifyPaste(writer http.ResponseWriter, request
writeString(writer, http.StatusBadRequest, "too large paste content") writeString(writer, http.StatusBadRequest, "too large paste content")
return return
} }
if payload.Metadata != nil && maps.ExceedsDimensions(payload.Metadata, static.MaxMetadataWidth, static.MaxMetadataDepth) {
writeString(writer, http.StatusBadRequest, fmt.Sprintf("metadata exceeds maximum dimensions (max. width: %d; max. depth: %d)", static.MaxMetadataWidth, static.MaxMetadataDepth))
return
}
// Modify the paste itself // Modify the paste itself
if payload.Content != nil { if payload.Content != nil {