From d5c0856abf61d990efd06b76bc3e112e6af3f847 Mon Sep 17 00:00:00 2001 From: Ske Date: Fri, 19 Jul 2019 18:36:47 +0200 Subject: [PATCH] Fix bounds checking on member patch endpoint --- PluralKit.API/Controllers/MemberController.cs | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/PluralKit.API/Controllers/MemberController.cs b/PluralKit.API/Controllers/MemberController.cs index ffb69480..e3e6931b 100644 --- a/PluralKit.API/Controllers/MemberController.cs +++ b/PluralKit.API/Controllers/MemberController.cs @@ -38,16 +38,23 @@ namespace PluralKit.API.Controllers if (member.System != _auth.CurrentSystem.Id) return Unauthorized($"Member '{hid}' is not part of your system."); + if (newMember.Name == null) + return BadRequest("Member name can not be null."); + // Explicit bounds checks - if (newMember.Name.Length > Limits.MaxMemberNameLength) + if (newMember.Name != null && newMember.Name.Length > Limits.MaxMemberNameLength) return BadRequest($"Member name too long ({newMember.Name.Length} > {Limits.MaxMemberNameLength}."); - if (newMember.Pronouns.Length > Limits.MaxPronounsLength) + if (newMember.Pronouns != null && newMember.Pronouns.Length > Limits.MaxPronounsLength) return BadRequest($"Member pronouns too long ({newMember.Pronouns.Length} > {Limits.MaxPronounsLength}."); - if (newMember.Description.Length > Limits.MaxDescriptionLength) + if (newMember.Description != null && newMember.Description.Length > Limits.MaxDescriptionLength) return BadRequest($"Member descriptions too long ({newMember.Description.Length} > {Limits.MaxDescriptionLength}."); // Sanity bounds checks - if (newMember.AvatarUrl.Length > 1000 || newMember.Prefix.Length > 1000 || newMember.Suffix.Length > 1000) + if (newMember.AvatarUrl != null && newMember.AvatarUrl.Length > 1000) + return BadRequest(); + if (newMember.Prefix != null && newMember.Prefix.Length > 1000) + return BadRequest(); + if (newMember.Suffix != null && newMember.Suffix.Length > 1000) return BadRequest(); member.Name = newMember.Name;