add user input sanitation

2024-01-18 15:00:13 +01:00 · 2024-01-18 15:00:13 +01:00 · e615f774ad
parent ed38156e77
commit e615f774ad
1 changed files with 28 additions and 2 deletions
--- a/taskmanager/routes.py
+++ b/taskmanager/routes.py
@ -4,8 +4,7 @@ from taskmanager.functions import *
 from taskmanager.models import *
 import configparser

-#CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini"
-CONFIG_PATH = "/home/anon/src/taskmanager/taskmanager/config.ini"
+CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini"

 config = configparser.ConfigParser()
 config.read(CONFIG_PATH)
@ -25,6 +24,17 @@ def addtask():
        taskname = request.form['taskname']
        taskdesc = request.form['taskdesc']
        username = request.form['username']
+        # Input sanitation
+        if not taskname.isalnum():
+            return "Task name has to be made only of letters or numbers."
+        if not username.isalnum():
+            return "Username has to be made only of letters or numbers."
+        if not taskdesc.isprintable():
+            return "Task description has to be made of printable characters."
+        if len(taskname) < 1 or len(taskname) > 40:
+            return "Task name lenght invalid, only smaller then 40 charachters allowed"
+        if len(taskdesc) > 2000:
+            return "Task description lenght invalid, only smaller then 2000 charachters allowed"
        if username == "":
            creatorid = None
        else:
@ -50,6 +60,18 @@ def register():
        username = request.form['username']
        contact = request.form['contact']
        password = request.form['password']
+        if not username.isalnum():
+            return "Username has to be made only of letters or numbers."
+        if not contact.isprintable():
+            return "Contact information has to be made of printable characters."
+        if not password.isprintable():
+            return "Password has to be made of printable characters."
+        if len(username) < 1 or len(username) > 40:
+            return "Username lenght invalid, only smaller then 40 charachters allowed"
+        if len(contact) > 100:
+            return "Contact lenght invalid, only smaller then 100 charachters allowed"
+        if len(password) > 500:
+            return "Password lenght invalid, only smaller then 500 charachters allowed"
        sqladduser = User(username = username, contact = contact, password = password)
        try:
            db.session.add(sqladduser)
@ -75,6 +97,8 @@ def project(task_id:int):
        return render_template("project.html", task = task, users = users)
    elif request.method == 'POST':
        username = request.form['username']
+        if len(username) < 1 or len(username) > 40:
+            return "Username lenght invalid, only smaller then 40 charachters allowed"
        if username in users:
            return 'User already added to task'
        try:
@ -112,6 +136,8 @@ def deltask(task_id:int):
            return render_template('deltask.html', task = task)
    if request.method == 'POST':
        password = request.form['password']
+        if len(password) < 1 or len(password) > 500:
+            return "Password lenght invalid, only smaller then 500 charachters allowed"
        # Check password
        if password != ADMINPASS and password != User.query.get(creatorid).password:
            return 'Wrong password'