From 48c307778ea6fc3960dabd1e4f3114970e1e8666 Mon Sep 17 00:00:00 2001
From: iou1name <iou1name@national.shitposting.agency>
Date: Mon, 15 Apr 2019 08:28:16 -0400
Subject: [PATCH] plug up some websocket security holes

---
 quest/events.py       | 77 +++++++++++++++++++++++++++++--------------
 quest/static/quest.js |  2 +-
 todo                  |  1 -
 3 files changed, 54 insertions(+), 26 deletions(-)

diff --git a/quest/events.py b/quest/events.py
index 00d1dd4..23e8b18 100644
--- a/quest/events.py
+++ b/quest/events.py
@@ -24,6 +24,9 @@ def message(socket, data):
 	Gets called when the server receives a 'message' event.
 	"""
 	message = data.get('message')
+	
+	if not all(locals().values()):
+		return
 
 	# cleaning
 	message = message[:512]
@@ -153,12 +156,15 @@ def text_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return
 
 	post_text = data.get('text')
 	page_num = data.get('page_num')
 
+	if not all(locals().values()):
+		return
+
 	try:
 		page = Page.objects.get(quest=quest, page_num=page_num)
 	except Page.DoesNotExist:
@@ -207,8 +213,8 @@ def dice_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return
 
 	page_num = data.get('page_num')
 	try:
@@ -218,7 +224,8 @@ def dice_post(socket, data):
 
 	form = DiceCallForm(data)
 	if not form.is_valid():
-		return # error message?
+		# TODO: error message event
+		return
 	form = form.cleaned_data
 
 	posts = Post.objects.filter(
@@ -288,8 +295,8 @@ def poll_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return
 
 	page_num = data.get('page_num')
 	try:
@@ -358,12 +365,15 @@ def edit_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return
 
 	post_id = data.get('post_id')
 	post_text = data.get('post_text')
 
+	if not all(locals().values()):
+		return
+
 	try:
 		p = Post.objects.get(id=post_id)
 	except Post.DoesNotExist:
@@ -392,8 +402,8 @@ def close_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return
 
 	post_id = data.get('post_id')
 	try:
@@ -419,8 +429,8 @@ def open_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return
 
 	post_id = data.get('post_id')
 	try:
@@ -456,12 +466,15 @@ def new_page(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return
 
 	title = data.get('page_title')
 	appendix = bool(data.get('appendix'))
 
+	if not all(locals().values()):
+		return
+
 	if appendix:
 		page = Page.objects.filter(
 			quest=quest,
@@ -521,23 +534,33 @@ def vote(socket, data):
 	ip_address = socket.scope['client'][0]
 	user = socket.scope['user']
 
-	if polarity == False:
+	if not all(locals().values()):
+		return
+
+	try:
+		p = Poll.objects.get(post_id=post_id)
+	except Poll.DoesNotExist:
+		return
+
+	if not p.open:
+		return
+
+	if polarity == False: # player removes his vote
 		try:
-			v = PollVote.objects.get(
+			pv = PollVote.objects.get(
 				ip_address=ip_address,
 				option__id=option_id
 			)
 		except PollVote.DoesNotExist:
 			return
-		v.delete()
-	else:
+		pv.delete()
+	else: # player makes a new vote
 		try:
-			p = Poll.objects.get(post_id=post_id)
 			option = PollOption.objects.get(id=option_id)
-		except (Poll.DoesNotExist, PollOption.DoesNotExist):
+		except PollOption.DoesNotExist:
 			return
 		pvs = PollVote.objects.filter(option=option, ip_address=ip_address)
-		if pvs.count() != 0:
+		if pvs.count() != 0: # if player has voted for this option already
 			return
 
 		if p.multi_choice == False:
@@ -572,20 +595,26 @@ def write_in(socket, data):
 	Called when a player creates a new write-in.
 	"""
 	post_id = data.get('post_id')
-	option_text = data.get('option_text', '')
+	option_text = data.get('option_text')
 	user = socket.scope['user']
 
+	if not all(locals().values()):
+		return
+
 	try:
 		p = Poll.objects.get(post_id=post_id)
 	except Poll.DoesNotExist:
 		return
 
+	if not p.allow_writein:
+		return
+
 	option_text = option_text.strip()
 	if not option_text:
 		return
 	option_text = "Write-in: " +  bleach.clean(option_text)
 	if len(option_text) > 200:
-		# error message?
+		# TODO: error message event
 		return
 	o = PollOption(
 		poll=p,
diff --git a/quest/static/quest.js b/quest/static/quest.js
index b5e5742..3268238 100644
--- a/quest/static/quest.js
+++ b/quest/static/quest.js
@@ -187,7 +187,7 @@ function submitWritein(post_id) {
 	let option_text = writeinInput.value;
 	writeinInput.value = '';
 	if (!option_text) { return; }
-	socket.send('write_in', {option_text: option_text, post_id: post_id});
+	socket.send('write_in', {post_id: post_id, option_text: option_text});
 }
 
 /* Helpers */
diff --git a/todo b/todo
index 3015208..24aab17 100644
--- a/todo
+++ b/todo
@@ -4,7 +4,6 @@ Webm posting
 (you) counter
 Account managament
 Quote backlinks
-Email
 RSS
 
 Improvements: