From e615f774ad5443de8f30e5a5141f1379024c6674 Mon Sep 17 00:00:00 2001 From: fram3d Date: Thu, 18 Jan 2024 15:00:13 +0100 Subject: [PATCH] add user input sanitation --- taskmanager/routes.py | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/taskmanager/routes.py b/taskmanager/routes.py index e4da4d1..25775f3 100644 --- a/taskmanager/routes.py +++ b/taskmanager/routes.py @@ -4,8 +4,7 @@ from taskmanager.functions import * from taskmanager.models import * import configparser -#CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini" -CONFIG_PATH = "/home/anon/src/taskmanager/taskmanager/config.ini" +CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini" config = configparser.ConfigParser() config.read(CONFIG_PATH) @@ -25,6 +24,17 @@ def addtask(): taskname = request.form['taskname'] taskdesc = request.form['taskdesc'] username = request.form['username'] + # Input sanitation + if not taskname.isalnum(): + return "Task name has to be made only of letters or numbers." + if not username.isalnum(): + return "Username has to be made only of letters or numbers." + if not taskdesc.isprintable(): + return "Task description has to be made of printable characters." + if len(taskname) < 1 or len(taskname) > 40: + return "Task name lenght invalid, only smaller then 40 charachters allowed" + if len(taskdesc) > 2000: + return "Task description lenght invalid, only smaller then 2000 charachters allowed" if username == "": creatorid = None else: @@ -50,6 +60,18 @@ def register(): username = request.form['username'] contact = request.form['contact'] password = request.form['password'] + if not username.isalnum(): + return "Username has to be made only of letters or numbers." + if not contact.isprintable(): + return "Contact information has to be made of printable characters." + if not password.isprintable(): + return "Password has to be made of printable characters." + if len(username) < 1 or len(username) > 40: + return "Username lenght invalid, only smaller then 40 charachters allowed" + if len(contact) > 100: + return "Contact lenght invalid, only smaller then 100 charachters allowed" + if len(password) > 500: + return "Password lenght invalid, only smaller then 500 charachters allowed" sqladduser = User(username = username, contact = contact, password = password) try: db.session.add(sqladduser) @@ -75,6 +97,8 @@ def project(task_id:int): return render_template("project.html", task = task, users = users) elif request.method == 'POST': username = request.form['username'] + if len(username) < 1 or len(username) > 40: + return "Username lenght invalid, only smaller then 40 charachters allowed" if username in users: return 'User already added to task' try: @@ -112,6 +136,8 @@ def deltask(task_id:int): return render_template('deltask.html', task = task) if request.method == 'POST': password = request.form['password'] + if len(password) < 1 or len(password) > 500: + return "Password lenght invalid, only smaller then 500 charachters allowed" # Check password if password != ADMINPASS and password != User.query.get(creatorid).password: return 'Wrong password'