Skip to content

Commit

Permalink
bug fixes, sql insert attack protection
Browse files Browse the repository at this point in the history
  • Loading branch information
@faisalnjs
faisalnjs committed Oct 17, 2023
1 parent baed5cc commit f97d1f4
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 26 deletions.
2 changes: 1 addition & 1 deletion frontend/partials/suggested.ejs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<div class="articles individual">
<h2>Suggested articles</h2>
<div class="grid">
<% const articles = cms.articles.filter(a => a.slug !== (article || []).slug).sort(() => Math.random() - 0.5).slice(0, 3); for (let i = 0; i < 3; i++) { const article = articles[i]; %>
<% const articles = cms.articles.filter(a => a.slug !== ((typeof article !== 'undefined') ? article.slug : '')).sort(() => Math.random() - 0.5).slice(0, 3); for (let i = 0; i < 3; i++) { const article = articles[i]; %>
<a class="article<% if (i % 3 === 0) { %> left<% } else if (i === 1 || (i - 1) % 3 === 0) { %> middle<% } else if ((i - 2) % 3 === 0) { %> right<% } %>" href="<%- vars.domain %>/articles/<%= new Date(article.date).getFullYear() %>/<%= article.slug %>" title="<%= article.title %>">
<div class="inner">
<img src="<% if (article.images[0] != null) { %><%- vars.asset_prefix %><%= article.images[0].path %>" <% if (article.images[0].width < article.images[0].height) { %>style="width: min-content;" <% if (article.images[0].description != "") { %>alt="<%= article.images[0].description %>"<% } %><% } } else { %> "<% } %> />
Expand Down
65 changes: 40 additions & 25 deletions index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,12 +187,17 @@ async function startApp() {
await allRoutes(req, res);
var newspaper = cms.newspapers.find(newspaper => newspaper.slug === req.params.newspaper);
if (newspaper && req.body.id && (req.body.name.length > 0) && (req.body.email.includes('.')) && (req.body.email.length > 0) && (req.body.content.length > 0)) {
db.query("INSERT INTO comments (author_name, author_email, post_id, content) VALUES (?, ?, ?, ?)", [req.body.name, req.body.email, req.body.id, req.body.content], function (err, results, fields) {
if (err) {
console.log(err);
};
res.redirect(`/newspapers/${req.params.newspaper}#${results.insertId}`);
});
try {
db.query("INSERT INTO comments (author_name, author_email, post_id, content) VALUES (?, ?, ?, ?)", [req.body.name, req.body.email, req.body.id, req.body.content], function (err, results, fields) {
if (err) {
console.log(err);
};
res.redirect(`/newspapers/${req.params.newspaper}#${results.insertId}`);
});
} catch {
console.log(`DoS Attack Attempted: IP is ${req.ip}, URL is ${req.originalUrl}, Query is ${JSON.stringify(req.query)}, Body is ${JSON.stringify(req.body)}`);
res.redirect(`/newspapers/${req.params.newspaper}`);
};
} else {
res.redirect('/');
};
Expand Down Expand Up @@ -221,12 +226,17 @@ async function startApp() {
await allRoutes(req, res);
var article = cms.articles.find(article => { return article.slug === req.params.article && (new Date(article.date)).getFullYear() === Number(req.params.year) });
if (article && req.body.id && (req.body.name.length > 0) && (req.body.email.includes('.')) && (req.body.email.length > 0) && (req.body.content.length > 0)) {
db.query("INSERT INTO comments (author_name, author_email, post_id, content) VALUES (?, ?, ?, ?)", [req.body.name, req.body.email, req.body.id, req.body.content], function (err, results, fields) {
if (err) {
console.log(err);
};
res.redirect(`/articles/${req.params.year}/${req.params.article}#${results.insertId}`);
});
try {
db.query("INSERT INTO comments (author_name, author_email, post_id, content) VALUES (?, ?, ?, ?)", [req.body.name, req.body.email, req.body.id, req.body.content], function (err, results, fields) {
if (err) {
console.log(err);
};
res.redirect(`/articles/${req.params.year}/${req.params.article}#${results.insertId}`);
});
} catch {
console.log(`DoS Attack Attempted: IP is ${req.ip}, URL is ${req.originalUrl}, Query is ${JSON.stringify(req.query)}, Body is ${JSON.stringify(req.body)}`);
res.redirect(`/articles/${req.params.year}/${req.params.article}`);
};
} else {
res.redirect('/');
};
Expand Down Expand Up @@ -285,19 +295,24 @@ async function startApp() {
if (responses.length === 0) {
for (let i = 0; i < poll.answers.length; i++) {
if (poll.answers[i] === req.body.answer) {
db.prepare("INSERT INTO poll_responses (name, ip, session_id, poll_id, response_id) VALUES (?, ?, ?, ?, ?)", (err, statement) => {
if (err) {
console.log(err);
res.redirect(`/polls/${req.params.poll}?error=There was an error submitting your vote!`);
} else {
statement.execute([req.body.name, req.ip, req.cookies.voteId, req.body.id, i], function (err, results, fields) {
if (err) {
console.log(err);
};
res.redirect(`/polls/${req.params.poll}`);
});
};
});
try {
db.prepare("INSERT INTO poll_responses (name, ip, session_id, poll_id, response_id) VALUES (?, ?, ?, ?, ?)", (err, statement) => {
if (err) {
console.log(err);
res.redirect(`/polls/${req.params.poll}?error=There was an error submitting your vote!`);
} else {
statement.execute([req.body.name, req.ip, req.cookies.voteId, req.body.id, i], function (err, results, fields) {
if (err) {
console.log(err);
};
res.redirect(`/polls/${req.params.poll}`);
});
};
});
} catch {
console.log(`DoS Attack Attempted: IP is ${req.ip}, URL is ${req.originalUrl}, Query is ${JSON.stringify(req.query)}, Body is ${JSON.stringify(req.body)}`);
res.redirect(`/polls/${req.params.poll}`);
};
};
};
} else {
Expand Down

0 comments on commit f97d1f4

Please sign in to comment.