From cf669024bff29e2d408b46b33b6c3e863d35c1c1 Mon Sep 17 00:00:00 2001
From: Kevin Froman <beardog@mailbox.org>
Date: Thu, 15 Oct 2020 22:02:51 +0000
Subject: [PATCH] handle invalid input when adding peer better

---
 src/coredb/keydb/addkeys.py               | 39 ++++++++++-------------
 src/httpapi/miscclientapi/addpeer.py      | 20 ++++++++++--
 static-data/www/shared/sidebar/sidebar.js | 11 +++++++
 3 files changed, 45 insertions(+), 25 deletions(-)

diff --git a/src/coredb/keydb/addkeys.py b/src/coredb/keydb/addkeys.py
index ad3a34f5..a9c87316 100644
--- a/src/coredb/keydb/addkeys.py
+++ b/src/coredb/keydb/addkeys.py
@@ -1,9 +1,15 @@
-'''
-    Onionr - Private P2P Communication
+"""Onionr - Private P2P Communication.
 
-    add user keys or transport addresses
-'''
-'''
+add user keys or transport addresses
+"""
+import sqlite3
+from onionrutils import stringvalidators
+from . import listkeys
+from utils import gettransports
+from .. import dbfiles
+import onionrcrypto
+from etc import onionrvalues
+"""
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
     the Free Software Foundation, either version 3 of the License, or
@@ -16,20 +22,11 @@
 
     You should have received a copy of the GNU General Public License
     along with this program.  If not, see <https://www.gnu.org/licenses/>.
-'''
-import sqlite3
-from onionrplugins import onionrevents as events
-from onionrutils import stringvalidators
-from . import listkeys
-from utils import gettransports
-from .. import dbfiles
-import onionrcrypto
-from etc import onionrvalues
+"""
+
 
 def add_peer(peerID, name=''):
-    '''
-        Adds a public key to the key database (misleading function name)
-    '''
+    """Add a public key to the key database (misleading function name)."""
     if peerID in listkeys.list_peers() or peerID == onionrcrypto.pub_key:
         raise ValueError("specified id is already known")
 
@@ -37,8 +34,6 @@ def add_peer(peerID, name=''):
     if not stringvalidators.validate_pub_key(peerID):
         return False
 
-    #events.event('pubkey_add', data = {'key': peerID}, onionr = core_inst.onionrInst)
-
     conn = sqlite3.connect(dbfiles.user_id_info_db, timeout=onionrvalues.DATABASE_LOCK_TIMEOUT)
     hashID = ""
     c = conn.cursor()
@@ -60,9 +55,9 @@ def add_peer(peerID, name=''):
     return True
 
 def add_address(address):
-    '''
+    """
         Add an address to the address database (only tor currently)
-    '''
+    """
 
     if type(address) is None or len(address) == 0:
         return False
@@ -89,8 +84,6 @@ def add_address(address):
         conn.commit()
         conn.close()
 
-        #events.event('address_add', data = {'address': address}, onionr = core_inst.onionrInst)
-
         return True
     else:
         return False
diff --git a/src/httpapi/miscclientapi/addpeer.py b/src/httpapi/miscclientapi/addpeer.py
index 82c2cc64..bdbef002 100644
--- a/src/httpapi/miscclientapi/addpeer.py
+++ b/src/httpapi/miscclientapi/addpeer.py
@@ -1,11 +1,27 @@
+"""Onionr - Private P2P Communication.
+
+add a transport address to the db
+"""
 from onionrutils.stringvalidators import validate_transport
 from coredb.keydb.addkeys import add_address
 from coredb.keydb.listkeys import list_adders
+"""
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
 
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+"""
 
 def add_peer(peer):
-    # this is ok for security since add_address does this manually
-    assert validate_transport(peer)
+
     if peer in list_adders():
         return "already added"
     if add_address(peer):
diff --git a/static-data/www/shared/sidebar/sidebar.js b/static-data/www/shared/sidebar/sidebar.js
index 854bddc0..492b673e 100644
--- a/static-data/www/shared/sidebar/sidebar.js
+++ b/static-data/www/shared/sidebar/sidebar.js
@@ -13,11 +13,22 @@ fetch('/shared/sidebar/sidebar.html', {
 function sidebarAddPeerRegister(){
     document.getElementById('addPeerBtn').onclick = function(){
         let newPeer = document.getElementById('addPeerInput').value
+
+        if (! newPeer.includes(".")){
+            PNotify.error({text: "Invalid peer address"})
+            return
+        }
         fetch('/addpeer/' + newPeer, {
             method: 'POST',
             headers: {
             "token": webpass
             }})
+        .then(function(resp){
+            if (! resp.ok){
+                PNotify.error({text: "Could not add peer. Is your input valid?"})
+                throw new Error("Could not add peer " + newPeer)
+            }
+        })
         .then((resp) => resp.text())
         .then(function(data) {
             if (data == "success"){