add user input sanitation

This commit is contained in:
fram3d 2024-01-18 15:00:13 +01:00
parent ed38156e77
commit e615f774ad
Signed by: fram3d
GPG Key ID: 938920E709EEA32A

View File

@ -4,8 +4,7 @@ from taskmanager.functions import *
from taskmanager.models import * from taskmanager.models import *
import configparser import configparser
#CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini" CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini"
CONFIG_PATH = "/home/anon/src/taskmanager/taskmanager/config.ini"
config = configparser.ConfigParser() config = configparser.ConfigParser()
config.read(CONFIG_PATH) config.read(CONFIG_PATH)
@ -25,6 +24,17 @@ def addtask():
taskname = request.form['taskname'] taskname = request.form['taskname']
taskdesc = request.form['taskdesc'] taskdesc = request.form['taskdesc']
username = request.form['username'] username = request.form['username']
# Input sanitation
if not taskname.isalnum():
return "Task name has to be made only of letters or numbers."
if not username.isalnum():
return "Username has to be made only of letters or numbers."
if not taskdesc.isprintable():
return "Task description has to be made of printable characters."
if len(taskname) < 1 or len(taskname) > 40:
return "Task name lenght invalid, only smaller then 40 charachters allowed"
if len(taskdesc) > 2000:
return "Task description lenght invalid, only smaller then 2000 charachters allowed"
if username == "": if username == "":
creatorid = None creatorid = None
else: else:
@ -50,6 +60,18 @@ def register():
username = request.form['username'] username = request.form['username']
contact = request.form['contact'] contact = request.form['contact']
password = request.form['password'] password = request.form['password']
if not username.isalnum():
return "Username has to be made only of letters or numbers."
if not contact.isprintable():
return "Contact information has to be made of printable characters."
if not password.isprintable():
return "Password has to be made of printable characters."
if len(username) < 1 or len(username) > 40:
return "Username lenght invalid, only smaller then 40 charachters allowed"
if len(contact) > 100:
return "Contact lenght invalid, only smaller then 100 charachters allowed"
if len(password) > 500:
return "Password lenght invalid, only smaller then 500 charachters allowed"
sqladduser = User(username = username, contact = contact, password = password) sqladduser = User(username = username, contact = contact, password = password)
try: try:
db.session.add(sqladduser) db.session.add(sqladduser)
@ -75,6 +97,8 @@ def project(task_id:int):
return render_template("project.html", task = task, users = users) return render_template("project.html", task = task, users = users)
elif request.method == 'POST': elif request.method == 'POST':
username = request.form['username'] username = request.form['username']
if len(username) < 1 or len(username) > 40:
return "Username lenght invalid, only smaller then 40 charachters allowed"
if username in users: if username in users:
return 'User already added to task' return 'User already added to task'
try: try:
@ -112,6 +136,8 @@ def deltask(task_id:int):
return render_template('deltask.html', task = task) return render_template('deltask.html', task = task)
if request.method == 'POST': if request.method == 'POST':
password = request.form['password'] password = request.form['password']
if len(password) < 1 or len(password) > 500:
return "Password lenght invalid, only smaller then 500 charachters allowed"
# Check password # Check password
if password != ADMINPASS and password != User.query.get(creatorid).password: if password != ADMINPASS and password != User.query.get(creatorid).password:
return 'Wrong password' return 'Wrong password'