fix 17 potential 500s

2022-10-16 02:51:42 -07:00 · 2022-10-16 02:51:42 -07:00 · f4af073253
parent 3f9b51f0c1
commit f4af073253
10 changed files with 66 additions and 47 deletions
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@ -751,9 +751,8 @@ def alt_votes_get(v):
@limiter.limit("1/second;30/minute;200/hour;1000/day")
@admin_level_required(PERMS['USER_LINK'])
 def admin_link_accounts(v):
-
-	u1 = int(request.values.get("u1"))
-	u2 = int(request.values.get("u2"))
+	u1 = get_account(request.values.get("u1")).id
+	u2 = get_account(request.values.get("u2")).id

 	new_alt = Alt(
 		user1=u1, 
--- a/files/routes/asset_submissions.py
+++ b/files/routes/asset_submissions.py
@ -266,7 +266,10 @@ if SITE not in ('pcmemes.net', 'watchpeopledie.co'):
 		if not hat_regex.fullmatch(new_name): abort(400, "Invalid name!")
 		if not description_regex.fullmatch(description): abort(400, "Invalid description!")

-		hat.price = int(request.values.get('price'))
+		try:
+			hat.price = int(request.values.get('price'))
+		except:
+			abort(400, "Invalid hat price")
 		hat.name = new_name
 		hat.description = description
 		g.db.add(hat)
--- a/files/routes/giphy.py
+++ b/files/routes/giphy.py
@ -12,7 +12,11 @@ from files.__main__ import app
 def giphy(v=None, path=None):

 	searchTerm = request.values.get("searchTerm", "").strip()
-	limit = int(request.values.get("limit", 48))
+	limit = 48
+	try:
+		limit = int(request.values.get("limit", 48))
+	except:
+		pass
 	if searchTerm and limit:
 		url = f"https://api.giphy.com/v1/gifs/search?q={searchTerm}&api_key={GIPHY_KEY}&limit={limit}"
 	elif searchTerm and not limit:
--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -302,7 +302,11 @@ def sign_up_post(v):

 	session.pop("signup_token")

-	ref_id = int(request.values.get("referred_by", 0))
+	ref_id = 0
+	try:
+		ref_id = int(request.values.get("referred_by", 0))
+	except:
+		pass

 	users_count = g.db.query(User).count()
 	if users_count == 4:
@ -409,10 +413,12 @@ def post_forgot():

@app.get("/reset")
 def get_reset():
-
 	user_id = request.values.get("id")
-
-	timestamp = int(request.values.get("time",0))
+	timestamp = 0
+	try:
+		timestamp = int(request.values.get("time",0))
+	except:
+		pass
 	token = request.values.get("token")

 	now = int(time.time())
@ -448,8 +454,11 @@ def post_reset(v):
 	if v: return redirect('/')

 	user_id = request.values.get("user_id")
-
-	timestamp = int(request.values.get("time"))
+	timestamp = 0
+	try:
+		timestamp = int(request.values.get("time"))
+	except:
+		abort(400)
 	token = request.values.get("token")

 	password = request.values.get("password")
@ -534,11 +543,13 @@ def request_2fa_disable():

@app.get("/reset_2fa")
 def reset_2fa():
-
 	now=int(time.time())
 	t = request.values.get("t")
 	if not t: abort(400)
-	t = int(t)
+	try:
+		t = int(t)
+	except:
+		abort(400)

 	if now > t+3600*24:
 		return render_template("message.html",
--- a/files/routes/oauth.py
+++ b/files/routes/oauth.py
@ -97,8 +97,10 @@ def request_api_keys(v):
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
@auth_required
 def delete_oauth_app(v, aid):
-
-	aid = int(aid)
+	try:
+		aid = int(aid)
+	except:
+		abort(404)
 	app = g.db.get(OauthApp, aid)
 	if not app: abort(404)
 	
@ -118,8 +120,10 @@ def delete_oauth_app(v, aid):
@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
@is_not_permabanned
 def edit_oauth_app(v, aid):
-
-	aid = int(aid)
+	try:
+		aid = int(aid)
+	except:
+		abort(404)
 	app = g.db.get(OauthApp, aid)
 	if not app: abort(404)

--- a/files/routes/polls.py
+++ b/files/routes/polls.py
@ -9,13 +9,12 @@ from files.__main__ import app
@app.post("/vote/post/option/<option_id>")
@is_not_permabanned
 def vote_option(option_id, v):
-
-	option_id = int(option_id)
-
+	try:
+		option_id = int(option_id)
+	except:
+		abort(404)
 	option = g.db.get(SubmissionOption, option_id)
-
 	if not option: abort(404)
-
 	sub = option.post.sub

 	if sub in ('furry','vampire','racist','femboy') and not v.house.lower().startswith(sub):
@ -54,15 +53,13 @@ def vote_option(option_id, v):
@app.get("/votes/post/option/<option_id>")
@auth_required
 def option_votes(option_id, v):
-
-	option_id = int(option_id)
-
+	try:
+		option_id = int(option_id)
+	except:
+		abort(404)
 	option = g.db.get(SubmissionOption, option_id)
-
 	if not option: abort(404)
-
 	if option.post.ghost: abort(403)
-
 	ups = g.db.query(SubmissionOptionVote).filter_by(option_id=option_id).order_by(SubmissionOptionVote.created_utc).all()

 	return render_template("poll_votes.html",
@ -75,15 +72,13 @@ def option_votes(option_id, v):
@app.post("/vote/comment/option/<option_id>")
@is_not_permabanned
 def vote_option_comment(option_id, v):
-
-	option_id = int(option_id)
-
+	try:
+		option_id = int(option_id)
+	except:
+		abort(404)
 	option = g.db.get(CommentOption, option_id)
-
 	if not option: abort(404)
-
 	sub = option.comment.post.sub
-
 	if sub in ('furry','vampire','racist','femboy') and not v.house.lower().startswith(sub):
 		abort(403, f"You need to be a member of House {sub.capitalize()} to vote on polls in /h/{sub}")

@ -111,9 +106,10 @@ def vote_option_comment(option_id, v):
@app.get("/votes/comment/option/<option_id>")
@auth_required
 def option_votes_comment(option_id, v):
-
-	option_id = int(option_id)
-
+	try:
+		option_id = int(option_id)
+	except:
+		abort(404)
 	option = g.db.get(CommentOption, option_id)

 	if not option: abort(404)
--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@ -272,8 +272,9 @@ def post_id(pid, anything=None, v=None, sub=None):
 def viewmore(v, pid, sort, offset):
 	post = get_post(pid, v=v)
 	if post.club and not (v and (v.paid_dues or v.id == post.author_id)): abort(403)
-
-	offset = int(offset)
+	try:
+		offset = int(offset)
+	except: abort(400)
 	try: ids = set(int(x) for x in request.values.get("ids").split(','))
 	except: abort(400)
 	
--- a/files/routes/reporting.py
+++ b/files/routes/reporting.py
@ -143,12 +143,10 @@ def flag_comment(cid, v):
@limiter.limit("4/second;100/minute;300/hour;2000/day")
@admin_level_required(PERMS['FLAGS_REMOVE'])
 def remove_report_post(v, pid, uid):
-
 	try:
 		pid = int(pid)
 		uid = int(uid)
 	except: abort(400)
-
 	report = g.db.query(Flag).filter_by(post_id=pid, user_id=uid).one_or_none()

 	if report:
@ -170,10 +168,10 @@ def remove_report_post(v, pid, uid):
@limiter.limit("4/second;100/minute;300/hour;2000/day")
@admin_level_required(PERMS['FLAGS_REMOVE'])
 def remove_report_comment(v, cid, uid):
-	
-	cid = int(cid)
-	uid = int(uid)
-	
+	try:
+		cid = int(cid)
+		uid = int(uid)
+	except: abort(400)
 	report = g.db.query(CommentFlag).filter_by(comment_id=cid, user_id=uid).one_or_none()
 	
 	if report:
--- a/files/routes/static.py
+++ b/files/routes/static.py
@ -169,7 +169,6 @@ def log(v):
@app.get("/log/<id>")
@auth_required
 def log_item(id, v):
-
 	try: id = int(id)
 	except: abort(404)

--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -1203,7 +1203,11 @@ def kofi():
 	id = data['kofi_transaction_id']
 	created_utc = int(time.mktime(time.strptime(data['timestamp'].split('.')[0], "%Y-%m-%dT%H:%M:%SZ")))
 	type = data['type']
-	amount = int(float(data['amount']))
+	amount = 0
+	try:
+		amount = int(float(data['amount']))
+	except:
+		abort(400, 'invalid amount')
 	email = data['email']

 	transaction = Transaction(