deepcrayon
/
lila
1
0
Fork 0
Code Releases Activity

better sanitize DB regex

pull/8444/head
Thibault Duplessis 2021-03-21 09:16:08 +01:00
parent 47d8f83a51
commit 346ffac255
6 changed files with 27 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
app/controllers/Storm.scala
View File

@ -63,13 +63,13 @@ final class Storm(env: Env)(implicit mat: akka.stream.Materializer) extends Lila
def apiDashboardOf(username: String, days: Int) =
Open { implicit ctx =>
val userId = lila.user.User normalize username
if (days < 0 || days > 365) notFoundJson("Invalid days parameter")
else
((days > 0) ?? env.storm.dayApi.apiHistory(userId, days)) zip env.storm.highApi.get(userId) map {
case (history, high) =>
Ok(env.storm.json.apiDashboard(high, history))
}
lila.user.User.validateId(username) ?? { userId =>
if (days < 0 || days > 365) notFoundJson("Invalid days parameter")
else
((days > 0) ?? env.storm.dayApi.apiHistory(userId, days)) zip env.storm.highApi.get(userId) map {
case (history, high) =>
Ok(env.storm.json.apiDashboard(high, history))
}
}
}
}

4
modules/relation/src/main/RelationRepo.scala
View File

@ -54,12 +54,12 @@ final private class RelationRepo(coll: Coll, userRepo: lila.user.UserRepo)(impli
.map(~_.flatMap(_.getAsOpt[List[User.ID]]("ids")))
def followingLike(userId: ID, term: String): Fu[List[ID]] =
User.couldBeUsername(term) ?? {
User.validateId(term) ?? { valid =>
coll.secondaryPreferred.distinctEasy[ID, List](
"u2",
$doc(
"u1" -> userId,
"u2" $startsWith term.toLowerCase,
"u2" $startsWith valid,
"r" -> Follow
)
)

2
modules/study/src/main/StudyTopic.scala
View File

@ -78,7 +78,7 @@ final class StudyTopicApi(topicRepo: StudyTopicRepo, userTopicRepo: StudyUserTop
favsFu flatMap { favs =>
topicRepo
.coll {
_.find($doc("_id".$startsWith(str, "i")))
_.find($doc("_id".$startsWith(java.util.regex.Pattern.quote(str), "i")))
.sort($sort.naturalAsc)
.cursor[Bdoc](readPref)
.list(nb - favs.size)

22
modules/swiss/src/main/SwissApi.scala
View File

@ -259,16 +259,18 @@ final class SwissApi(
}
def searchPlayers(id: Swiss.Id, term: String, nb: Int): Fu[List[User.ID]] =
User.couldBeUsername(term) ?? SwissPlayer.fields { f =>
colls.player.primitive[User.ID](
selector = $doc(
f.swissId -> id,
f.userId $startsWith term.toLowerCase
),
sort = $sort desc f.score,
nb = nb,
field = f.userId
)
User.validateId(term) ?? { valid =>
SwissPlayer.fields { f =>
colls.player.primitive[User.ID](
selector = $doc(
f.swissId -> id,
f.userId $startsWith valid
),
sort = $sort desc f.score,
nb = nb,
field = f.userId
)
}
}
def pageOf(swiss: Swiss, userId: User.ID): Fu[Option[Int]] =

4
modules/tournament/src/main/PlayerRepo.scala
View File

@ -307,11 +307,11 @@ final class PlayerRepo(coll: Coll)(implicit ec: scala.concurrent.ExecutionContex
.result
def searchPlayers(tourId: Tournament.ID, term: String, nb: Int): Fu[List[User.ID]] =
User.couldBeUsername(term) ?? {
User.validateId(term) ?? { valid =>
coll.primitive[User.ID](
selector = $doc(
"tid" -> tourId,
"uid" $startsWith term.toLowerCase
"uid" $startsWith valid
),
sort = $sort desc "m",
nb = nb,

2
modules/user/src/main/User.scala
View File

@ -225,6 +225,8 @@ object User {
def normalize(username: String) = username.toLowerCase
def validateId(name: String): Option[User.ID] = couldBeUsername(name) option normalize(name)
object BSONFields {
val id = "_id"
val username = "username"