add user input sanitation

taskmanager/routes.py

@@ -4,8 +4,7 @@ from taskmanager.functions import *
 from taskmanager.models import *
 import configparser
 
-#CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini"
-CONFIG_PATH = "/home/anon/src/taskmanager/taskmanager/config.ini"
+CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini"
 
 config = configparser.ConfigParser()
 config.read(CONFIG_PATH)
@@ -25,6 +24,17 @@ def addtask():
         taskname = request.form['taskname']
         taskdesc = request.form['taskdesc']
         username = request.form['username']
+        # Input sanitation
+        if not taskname.isalnum():
+            return "Task name has to be made only of letters or numbers."
+        if not username.isalnum():
+            return "Username has to be made only of letters or numbers."
+        if not taskdesc.isprintable():
+            return "Task description has to be made of printable characters."
+        if len(taskname) < 1 or len(taskname) > 40:
+            return "Task name lenght invalid, only smaller then 40 charachters allowed"
+        if len(taskdesc) > 2000:
+            return "Task description lenght invalid, only smaller then 2000 charachters allowed"
         if username == "":
             creatorid = None
         else:
@@ -50,6 +60,18 @@ def register():
         username = request.form['username']
         contact = request.form['contact']
         password = request.form['password']
+        if not username.isalnum():
+            return "Username has to be made only of letters or numbers."
+        if not contact.isprintable():
+            return "Contact information has to be made of printable characters."
+        if not password.isprintable():
+            return "Password has to be made of printable characters."
+        if len(username) < 1 or len(username) > 40:
+            return "Username lenght invalid, only smaller then 40 charachters allowed"
+        if len(contact) > 100:
+            return "Contact lenght invalid, only smaller then 100 charachters allowed"
+        if len(password) > 500:
+            return "Password lenght invalid, only smaller then 500 charachters allowed"
         sqladduser = User(username = username, contact = contact, password = password)
         try:
             db.session.add(sqladduser)
@@ -75,6 +97,8 @@ def project(task_id:int):
         return render_template("project.html", task = task, users = users)
     elif request.method == 'POST':
         username = request.form['username']
+        if len(username) < 1 or len(username) > 40:
+            return "Username lenght invalid, only smaller then 40 charachters allowed"
         if username in users:
             return 'User already added to task'
         try:
@@ -112,6 +136,8 @@ def deltask(task_id:int):
             return render_template('deltask.html', task = task)
     if request.method == 'POST':
         password = request.form['password']
+        if len(password) < 1 or len(password) > 500:
+            return "Password lenght invalid, only smaller then 500 charachters allowed"
         # Check password
         if password != ADMINPASS and password != User.query.get(creatorid).password:
             return 'Wrong password'