feat(api): implemented SQL injection protection
This commit is contained in:
parent
c87803d479
commit
c38093b55b
GPG Key ID:
2B4F402172791BAF
|
|
@ -2,9 +2,9 @@ use serde::{Deserialize, Serialize};
|
|||
|
||||
#[derive(Debug, Deserialize)]
|
||||
pub struct RegisterRequest {
|
||||
username: String,
|
||||
password: String,
|
||||
email: String,
|
||||
pub username: String,
|
||||
pub password: String,
|
||||
pub email: String,
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize)]
|
||||
|
|
@ -24,7 +24,7 @@ pub enum RegisterResponse {
|
|||
|
||||
#[derive(Debug, Deserialize)]
|
||||
pub struct VerifyRequest {
|
||||
token: String,
|
||||
pub token: String,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
|
|
@ -36,8 +36,8 @@ pub enum VerifyResponse {
|
|||
|
||||
#[derive(Debug, Deserialize)]
|
||||
pub struct AuthenticateRequest {
|
||||
username: String,
|
||||
password: String,
|
||||
pub username: String,
|
||||
pub password: String,
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize)]
|
||||
|
|
|
|||
|
|
@ -2,17 +2,46 @@ use crate::api::account::data;
|
|||
use anyhow::Result;
|
||||
use log::info;
|
||||
|
||||
fn is_sql_injection(string: &String) -> bool {
|
||||
match libinjection::sqli(string) {
|
||||
Some((is_injection, _)) => is_injection,
|
||||
None => true, // this could be a false positive, but that would be better than an SQLi
|
||||
}
|
||||
}
|
||||
|
||||
trait AlphaExt {
|
||||
fn is_alpha(&self) -> bool;
|
||||
}
|
||||
|
||||
impl AlphaExt for String {
|
||||
fn is_alpha(&self) -> bool {
|
||||
self.chars().all(|c| c.is_alphanumeric())
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn register(request: data::RegisterRequest) -> Result<data::RegisterResponse> {
|
||||
if is_sql_injection(&request.username) || is_sql_injection(&request.email) {
|
||||
return Ok(data::RegisterResponse::Blocked);
|
||||
}
|
||||
|
||||
Ok(data::RegisterResponse::Success)
|
||||
}
|
||||
|
||||
pub async fn verify(request: data::VerifyRequest) -> Result<data::VerifyResponse> {
|
||||
if !request.token.is_alpha() {
|
||||
return Ok(data::VerifyResponse::Blocked);
|
||||
}
|
||||
|
||||
Ok(data::VerifyResponse::Success)
|
||||
}
|
||||
|
||||
pub async fn authenticate(
|
||||
request: data::AuthenticateRequest,
|
||||
) -> Result<data::AuthenticateResponse> {
|
||||
if is_sql_injection(&request.username) {
|
||||
return Ok(data::AuthenticateResponse::Blocked);
|
||||
}
|
||||
|
||||
Ok(data::AuthenticateResponse::Success(
|
||||
data::AuthenticateSuccess {
|
||||
token: "not_a_valid_token".to_string(),
|
||||
|
|
@ -21,6 +50,10 @@ pub async fn authenticate(
|
|||
}
|
||||
|
||||
pub async fn delete(token: String) -> Result<data::DeleteResponse> {
|
||||
if !token.is_alpha() {
|
||||
return Ok(data::DeleteResponse::Blocked);
|
||||
}
|
||||
|
||||
info!("Token: {}", token);
|
||||
Ok(data::DeleteResponse::Success)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue