From cf669024bff29e2d408b46b33b6c3e863d35c1c1 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Thu, 15 Oct 2020 22:02:51 +0000 Subject: [PATCH] handle invalid input when adding peer better --- src/coredb/keydb/addkeys.py | 39 ++++++++++------------- src/httpapi/miscclientapi/addpeer.py | 20 ++++++++++-- static-data/www/shared/sidebar/sidebar.js | 11 +++++++ 3 files changed, 45 insertions(+), 25 deletions(-) diff --git a/src/coredb/keydb/addkeys.py b/src/coredb/keydb/addkeys.py index ad3a34f5..a9c87316 100644 --- a/src/coredb/keydb/addkeys.py +++ b/src/coredb/keydb/addkeys.py @@ -1,9 +1,15 @@ -''' - Onionr - Private P2P Communication +"""Onionr - Private P2P Communication. - add user keys or transport addresses -''' -''' +add user keys or transport addresses +""" +import sqlite3 +from onionrutils import stringvalidators +from . import listkeys +from utils import gettransports +from .. import dbfiles +import onionrcrypto +from etc import onionrvalues +""" This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or @@ -16,20 +22,11 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . -''' -import sqlite3 -from onionrplugins import onionrevents as events -from onionrutils import stringvalidators -from . import listkeys -from utils import gettransports -from .. import dbfiles -import onionrcrypto -from etc import onionrvalues +""" + def add_peer(peerID, name=''): - ''' - Adds a public key to the key database (misleading function name) - ''' + """Add a public key to the key database (misleading function name).""" if peerID in listkeys.list_peers() or peerID == onionrcrypto.pub_key: raise ValueError("specified id is already known") @@ -37,8 +34,6 @@ def add_peer(peerID, name=''): if not stringvalidators.validate_pub_key(peerID): return False - #events.event('pubkey_add', data = {'key': peerID}, onionr = core_inst.onionrInst) - conn = sqlite3.connect(dbfiles.user_id_info_db, timeout=onionrvalues.DATABASE_LOCK_TIMEOUT) hashID = "" c = conn.cursor() @@ -60,9 +55,9 @@ def add_peer(peerID, name=''): return True def add_address(address): - ''' + """ Add an address to the address database (only tor currently) - ''' + """ if type(address) is None or len(address) == 0: return False @@ -89,8 +84,6 @@ def add_address(address): conn.commit() conn.close() - #events.event('address_add', data = {'address': address}, onionr = core_inst.onionrInst) - return True else: return False diff --git a/src/httpapi/miscclientapi/addpeer.py b/src/httpapi/miscclientapi/addpeer.py index 82c2cc64..bdbef002 100644 --- a/src/httpapi/miscclientapi/addpeer.py +++ b/src/httpapi/miscclientapi/addpeer.py @@ -1,11 +1,27 @@ +"""Onionr - Private P2P Communication. + +add a transport address to the db +""" from onionrutils.stringvalidators import validate_transport from coredb.keydb.addkeys import add_address from coredb.keydb.listkeys import list_adders +""" + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +""" def add_peer(peer): - # this is ok for security since add_address does this manually - assert validate_transport(peer) + if peer in list_adders(): return "already added" if add_address(peer): diff --git a/static-data/www/shared/sidebar/sidebar.js b/static-data/www/shared/sidebar/sidebar.js index 854bddc0..492b673e 100644 --- a/static-data/www/shared/sidebar/sidebar.js +++ b/static-data/www/shared/sidebar/sidebar.js @@ -13,11 +13,22 @@ fetch('/shared/sidebar/sidebar.html', { function sidebarAddPeerRegister(){ document.getElementById('addPeerBtn').onclick = function(){ let newPeer = document.getElementById('addPeerInput').value + + if (! newPeer.includes(".")){ + PNotify.error({text: "Invalid peer address"}) + return + } fetch('/addpeer/' + newPeer, { method: 'POST', headers: { "token": webpass }}) + .then(function(resp){ + if (! resp.ok){ + PNotify.error({text: "Could not add peer. Is your input valid?"}) + throw new Error("Could not add peer " + newPeer) + } + }) .then((resp) => resp.text()) .then(function(data) { if (data == "success"){