trim inputs and improve imput handling for inputs to prevent all whitespace

5 years ago · cfb53d3cc1
parent 4468455b0a
commit cfb53d3cc1
4 changed files with 28 additions and 41 deletions
--- a/db/boards.js
+++ b/db/boards.js
@ -19,14 +19,6 @@ module.exports = {
 		return db.collection('boards').insertOne(data);
 	},

-	deleteOne: (board, options) => {
-
-	},
-
-	deleteMany: (board, options) => {
-
-	},
-
 	deleteAll: (board) => {
 		return db.collection('boards').deleteMany({});
 	},
@ -68,21 +60,6 @@ module.exports = {

 	},

-	canManage: (req, res, next) => {
-
-		if (req.session.user.authLevel === 3
-			|| res.locals.board.owner == req.session.user.username
-			|| res.locals.board.moderators.includes(req.session.user.username)) {
-			return next();
-		}
-		return res.status(403).render('message', {
-			'title': 'Forbidden',
-			'message': 'You do not have permission to manage this board',
-			'redirect': '/login.html'
-		});
-
-	},
-
 	getNextId: async (board) => {

 		const increment = await db.collection('counters').findOneAndUpdate(
@ -105,7 +82,7 @@ module.exports = {

 	deleteIncrement: async (board) => {

-		await db.collection('counters').findOneAndUpdate(
+		return db.collection('counters').findOneAndUpdate(
 			{
 				'_id': board
 			},
@ -119,8 +96,6 @@ module.exports = {
 			}
 		);

-		return;
-
-	},
+	}

 }
--- a/helpers/paramconverter.js
+++ b/helpers/paramconverter.js
@ -1,8 +1,9 @@
 'use strict';

 const Mongo = require(__dirname+'/../db/db.js')
-	, allowedArrays = new Set(['checkedposts', 'globalcheckedposts', 'checkedbans', 'checkedbanners'])
-	, numberFields = ['reply_limit', 'max_files', 'thread_limit', 'thread', 'min_message_length'];
+	, allowedArrays = new Set(['checkedposts', 'globalcheckedposts', 'checkedbans', 'checkedbanners']) //only these can be arrays, since express bodyparser will output arrays
+	, trimFields = ['message', 'name', 'subject', 'email', 'password', 'default_name', 'report_reason', 'ban_reason'] //trim if we dont want filed with whitespace
+	, numberFields = ['reply_limit', 'max_files', 'thread_limit', 'thread', 'min_message_length']; //convert these to numbers before they hit our routes

 module.exports = (req, res, next) => {

@ -11,7 +12,6 @@ module.exports = (req, res, next) => {
 		const key = bodyfields[i];
 		const val = req.body[key];
 		if (!allowedArrays.has(key) && Array.isArray(val)) {
-			//this is an array from malformed input, deny it.
 			return res.status(400).render('message', {
 				'title': 'Bad request',
 				'message': 'Malformed input'
@ -19,15 +19,11 @@ module.exports = (req, res, next) => {
 		}
 	}

-	//convert to numbers of mongoIds for action routes
-	if (req.body.checkedposts) {
-		req.body.checkedposts = req.body.checkedposts.map(Number);
-	}
-	if (req.body.globalcheckedposts) {
-		req.body.globalcheckedposts = req.body.globalcheckedposts.map(Mongo.ObjectId)
-	}
-	if (req.params.id) {
-		req.params.id = +req.params.id;
+	for (let i = 0; i < trimFields.length; i++) {
+		const field = trimFields[i];
+		if (req.body[field]) {
+			req.body[field] = req.body[field].trim();
+		}
 	}

 	for (let i = 0; i < numberFields.length; i++) {
@ -42,6 +38,20 @@ module.exports = (req, res, next) => {
 		}
 	}

+	//convert checked post ids to mongoid/number
+	if (req.body.checkedposts) {
+		req.body.checkedposts = req.body.checkedposts.map(Number);
+	}
+	if (req.body.globalcheckedposts) {
+		req.body.globalcheckedposts = req.body.globalcheckedposts.map(Mongo.ObjectId)
+	}
+
+	//thread id
+	if (req.params.id) {
+		req.params.id = +req.params.id;
+	}
+
+	//board page
 	if (req.params.page) {
 		req.params.page = req.params.page === 'index' ? 'index' : +req.params.page;
 	}
--- a/models/forms/makepost.js
+++ b/models/forms/makepost.js
@ -165,6 +165,8 @@ module.exports = async (req, res, next, numFiles) => {

 		}
 	}
+	// because express middleware is autistic i need to do this
+	deleteTempFiles(req).catch(e => console.error);

 	//poster ip
 	const ip = req.headers['x-real-ip'] || req.connection.remoteAddress;
--- a/models/forms/uploadbanners.js
+++ b/models/forms/uploadbanners.js
@ -69,10 +69,10 @@ module.exports = async (req, res, next, numFiles) => {
 		await remove(file.tempFilePath);

 	}
+	// because express middleware is autistic i need to do this
+	deleteTempFiles(req).catch(e => console.error);

 	await Boards.addBanners(req.params.board, filenames);
-//TODO: banners pages
-//	await buildBanners(res.locals.board);

 	return res.render('message', {
 		'title': 'Success',