feat(api): implemented SQL injection protection

This commit is contained in:
antifallobst 2023-08-16 18:01:44 +02:00
parent c87803d479
commit c38093b55b
Signed by: antifallobst
GPG Key ID: 2B4F402172791BAF
2 changed files with 39 additions and 6 deletions

View File

@ -2,9 +2,9 @@ use serde::{Deserialize, Serialize};
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
pub struct RegisterRequest { pub struct RegisterRequest {
username: String, pub username: String,
password: String, pub password: String,
email: String, pub email: String,
} }
#[derive(Debug, Serialize)] #[derive(Debug, Serialize)]
@ -24,7 +24,7 @@ pub enum RegisterResponse {
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
pub struct VerifyRequest { pub struct VerifyRequest {
token: String, pub token: String,
} }
#[derive(Debug)] #[derive(Debug)]
@ -36,8 +36,8 @@ pub enum VerifyResponse {
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
pub struct AuthenticateRequest { pub struct AuthenticateRequest {
username: String, pub username: String,
password: String, pub password: String,
} }
#[derive(Debug, Serialize)] #[derive(Debug, Serialize)]

View File

@ -2,17 +2,46 @@ use crate::api::account::data;
use anyhow::Result; use anyhow::Result;
use log::info; use log::info;
fn is_sql_injection(string: &String) -> bool {
match libinjection::sqli(string) {
Some((is_injection, _)) => is_injection,
None => true, // this could be a false positive, but that would be better than an SQLi
}
}
trait AlphaExt {
fn is_alpha(&self) -> bool;
}
impl AlphaExt for String {
fn is_alpha(&self) -> bool {
self.chars().all(|c| c.is_alphanumeric())
}
}
pub async fn register(request: data::RegisterRequest) -> Result<data::RegisterResponse> { pub async fn register(request: data::RegisterRequest) -> Result<data::RegisterResponse> {
if is_sql_injection(&request.username) || is_sql_injection(&request.email) {
return Ok(data::RegisterResponse::Blocked);
}
Ok(data::RegisterResponse::Success) Ok(data::RegisterResponse::Success)
} }
pub async fn verify(request: data::VerifyRequest) -> Result<data::VerifyResponse> { pub async fn verify(request: data::VerifyRequest) -> Result<data::VerifyResponse> {
if !request.token.is_alpha() {
return Ok(data::VerifyResponse::Blocked);
}
Ok(data::VerifyResponse::Success) Ok(data::VerifyResponse::Success)
} }
pub async fn authenticate( pub async fn authenticate(
request: data::AuthenticateRequest, request: data::AuthenticateRequest,
) -> Result<data::AuthenticateResponse> { ) -> Result<data::AuthenticateResponse> {
if is_sql_injection(&request.username) {
return Ok(data::AuthenticateResponse::Blocked);
}
Ok(data::AuthenticateResponse::Success( Ok(data::AuthenticateResponse::Success(
data::AuthenticateSuccess { data::AuthenticateSuccess {
token: "not_a_valid_token".to_string(), token: "not_a_valid_token".to_string(),
@ -21,6 +50,10 @@ pub async fn authenticate(
} }
pub async fn delete(token: String) -> Result<data::DeleteResponse> { pub async fn delete(token: String) -> Result<data::DeleteResponse> {
if !token.is_alpha() {
return Ok(data::DeleteResponse::Blocked);
}
info!("Token: {}", token); info!("Token: {}", token);
Ok(data::DeleteResponse::Success) Ok(data::DeleteResponse::Success)
} }