From 247318d67b4202c46a9824c9effa27ed1fb86d97 Mon Sep 17 00:00:00 2001
From: TLSM <duolsm@outlook.com>
Date: Mon, 3 Oct 2022 16:40:33 -0400
Subject: [PATCH] Sanitize /casino/<game> parameter input.

---
 files/classes/casino_game.py | 1 +
 files/routes/casino.py       | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/files/classes/casino_game.py b/files/classes/casino_game.py
index e8fcdd72bb..5e1d9a4fab 100644
--- a/files/classes/casino_game.py
+++ b/files/classes/casino_game.py
@@ -2,6 +2,7 @@ from sqlalchemy import *
 from files.__main__ import Base
 import time
 
+CASINO_GAME_KINDS = ['blackjack', 'slots', 'roulette']
 
 class Casino_Game(Base):
 	__tablename__ = "casino_games"
diff --git a/files/routes/casino.py b/files/routes/casino.py
index 7ed64404ad..99c58a03c1 100644
--- a/files/routes/casino.py
+++ b/files/routes/casino.py
@@ -27,6 +27,8 @@ def casino(v):
 def casino_game_page(v, game):
     if v.rehab:
         return render_template("casino/rehab.html", v=v)
+    if game not in CASINO_GAME_KINDS:
+        abort(404)
 
     feed = json.dumps(get_game_feed(game))
     leaderboard = json.dumps(get_game_leaderboard(game))
@@ -52,6 +54,8 @@ def casino_game_page(v, game):
 def casino_game_feed(v, game):
     if v.rehab:
         return {"error": "You are under Rehab award effect!"}, 400
+    if game not in CASINO_GAME_KINDS:
+        abort(404)
 
     feed = get_game_feed(game)
     return {"feed": feed}