From f7ba9bda7557d11d3d2a747bab04e861fe472cad Mon Sep 17 00:00:00 2001
From: fatchan <tom@69420.me>
Date: Sat, 4 May 2019 16:31:22 +0000
Subject: [PATCH] reject invalid arrays for parsed post body

---
 helpers/paramconverter.js | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/helpers/paramconverter.js b/helpers/paramconverter.js
index 1df6a26a..531b9835 100644
--- a/helpers/paramconverter.js
+++ b/helpers/paramconverter.js
@@ -1,9 +1,23 @@
 'use strict';
 
-const Mongo = require(__dirname+'/../db/db.js');
+const Mongo = require(__dirname+'/../db/db.js')
+	, allowedArrays = new Set(['checkedposts', 'globalcheckedposts', 'checkedbans'])
 
 module.exports = (req, res, next) => {
 
+	const bodyfields = Object.keys(req.body);
+	for (let i = 0; i < bodyfields.length; i++) {
+		const key = bodyfields[i];
+		const val = req.body[key];
+		if (!allowedArrays.has(key) && Array.isArray(val)) {
+			//this is an array from malformed input, deny it.
+			return res.status(400).render('message', {
+				'title': 'Bad request',
+				'message': 'Malformed input'
+			});
+		}
+	}
+
 	//convert to numbers of mongoIds for action routes
 	if (req.body.checkedposts) {
 		req.body.checkedposts = req.body.checkedposts.map(Number);