plug up some websocket security holes

2019-04-15 08:28:16 -04:00 · 2019-04-15 08:28:16 -04:00 · 48c307778e
commit 48c307778e
parent 05a618a15f
3 changed files with 54 additions and 26 deletions
--- a/quest/events.py
+++ b/quest/events.py
@ -25,6 +25,9 @@ def message(socket, data):
 	"""
 	message = data.get('message')
 	
+	if not all(locals().values()):
+		return
+
 	# cleaning
 	message = message[:512]
 	message = message.strip()
@ -153,12 +156,15 @@ def text_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return

 	post_text = data.get('text')
 	page_num = data.get('page_num')

+	if not all(locals().values()):
+		return
+
 	try:
 		page = Page.objects.get(quest=quest, page_num=page_num)
 	except Page.DoesNotExist:
@ -207,8 +213,8 @@ def dice_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return

 	page_num = data.get('page_num')
 	try:
@ -218,7 +224,8 @@ def dice_post(socket, data):

 	form = DiceCallForm(data)
 	if not form.is_valid():
-		return # error message?
+		# TODO: error message event
+		return
 	form = form.cleaned_data

 	posts = Post.objects.filter(
@ -288,8 +295,8 @@ def poll_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return

 	page_num = data.get('page_num')
 	try:
@ -358,12 +365,15 @@ def edit_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return

 	post_id = data.get('post_id')
 	post_text = data.get('post_text')

+	if not all(locals().values()):
+		return
+
 	try:
 		p = Post.objects.get(id=post_id)
 	except Post.DoesNotExist:
@ -392,8 +402,8 @@ def close_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return

 	post_id = data.get('post_id')
 	try:
@ -419,8 +429,8 @@ def open_post(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return

 	post_id = data.get('post_id')
 	try:
@ -456,12 +466,15 @@ def new_page(socket, data):
 	"""
 	quest = Quest.objects.get(id=socket.quest_id)
 	user = socket.scope['user']
-	if quest.owner != user:
-		return # error message?
+	if quest.owner != user: # 401 not allowed
+		return

 	title = data.get('page_title')
 	appendix = bool(data.get('appendix'))

+	if not all(locals().values()):
+		return
+
 	if appendix:
 		page = Page.objects.filter(
 			quest=quest,
@ -521,23 +534,33 @@ def vote(socket, data):
 	ip_address = socket.scope['client'][0]
 	user = socket.scope['user']

-	if polarity == False:
+	if not all(locals().values()):
+		return
+
+	try:
+		p = Poll.objects.get(post_id=post_id)
+	except Poll.DoesNotExist:
+		return
+
+	if not p.open:
+		return
+
+	if polarity == False: # player removes his vote
 		try:
-			v = PollVote.objects.get(
+			pv = PollVote.objects.get(
 				ip_address=ip_address,
 				option__id=option_id
 			)
 		except PollVote.DoesNotExist:
 			return
-		v.delete()
-	else:
+		pv.delete()
+	else: # player makes a new vote
 		try:
-			p = Poll.objects.get(post_id=post_id)
 			option = PollOption.objects.get(id=option_id)
-		except (Poll.DoesNotExist, PollOption.DoesNotExist):
+		except PollOption.DoesNotExist:
 			return
 		pvs = PollVote.objects.filter(option=option, ip_address=ip_address)
-		if pvs.count() != 0:
+		if pvs.count() != 0: # if player has voted for this option already
 			return

 		if p.multi_choice == False:
@ -572,20 +595,26 @@ def write_in(socket, data):
 	Called when a player creates a new write-in.
 	"""
 	post_id = data.get('post_id')
-	option_text = data.get('option_text', '')
+	option_text = data.get('option_text')
 	user = socket.scope['user']

+	if not all(locals().values()):
+		return
+
 	try:
 		p = Poll.objects.get(post_id=post_id)
 	except Poll.DoesNotExist:
 		return

+	if not p.allow_writein:
+		return
+
 	option_text = option_text.strip()
 	if not option_text:
 		return
 	option_text = "Write-in: " +  bleach.clean(option_text)
 	if len(option_text) > 200:
-		# error message?
+		# TODO: error message event
 		return
 	o = PollOption(
 		poll=p,
--- a/quest/static/quest.js
+++ b/quest/static/quest.js
@ -187,7 +187,7 @@ function submitWritein(post_id) {
 	let option_text = writeinInput.value;
 	writeinInput.value = '';
 	if (!option_text) { return; }
-	socket.send('write_in', {option_text: option_text, post_id: post_id});
+	socket.send('write_in', {post_id: post_id, option_text: option_text});
 }

 /* Helpers */
--- a/1
+++ b/1
@ -4,7 +4,6 @@ Webm posting
 (you) counter
 Account managament
 Quote backlinks
-Email
 RSS

 Improvements: