From 87fd8ee57a3bc774b7b5b1042d61d4a0041767e4 Mon Sep 17 00:00:00 2001 From: justcool393 Date: Sun, 9 Oct 2022 05:54:46 -0700 Subject: [PATCH] comment sanity checks and constantization * make HTML body length a constant and use it * abort before uploads and other tasks if comment level is too deep * what a nightmare of two functions, please do better next time --- files/helpers/const.py | 2 ++ files/helpers/sanitize.py | 4 ++-- files/routes/comments.py | 31 +++++++++++++------------------ files/routes/posts.py | 6 ++---- 4 files changed, 19 insertions(+), 24 deletions(-) diff --git a/files/helpers/const.py b/files/helpers/const.py index 604c94b3e..a6f999e07 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -266,6 +266,8 @@ POST_TITLE_HTML_LENGTH_LIMIT = 1500 # do not make larger than 1500 without alter POST_BODY_LENGTH_LIMIT = 20000 # do not make larger than 20000 without altering the table POST_BODY_HTML_LENGTH_LIMIT = 40000 # do not make larger than 40000 without altering the table COMMENT_BODY_LENGTH_LIMIT = 10000 # do not make larger than 10000 characters without altering the table +COMMENT_BODY_HTML_LENGTH_LIMIT = 20000 # do not make larger than 20000 characters without altering the table +COMMENT_MAX_DEPTH = 200 TRANSFER_MESSAGE_LENGTH_LIMIT = 200 # do not make larger than 10000 characters (comment limit) without altering the table LOGGEDIN_ACTIVE_TIME = 15 * 60 diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py index 5d2867b6d..4ba05b248 100644 --- a/files/helpers/sanitize.py +++ b/files/helpers/sanitize.py @@ -195,11 +195,11 @@ def sanitize_raw_title(sanitized): sanitized = sanitized.strip() return sanitized[:POST_TITLE_LENGTH_LIMIT] -def sanitize_raw_body(sanitized): +def sanitize_raw_body(sanitized, is_post): if not sanitized: return "" sanitized = sanitized.replace('\u200e','').replace('\u200b','').replace("\ufeff", "").replace("\r\n", "\n") sanitized = sanitized.strip() - return sanitized[:POST_BODY_LENGTH_LIMIT] + return sanitized[:POST_BODY_LENGTH_LIMIT if is_post else COMMENT_BODY_LENGTH_LIMIT] @with_sigalrm_timeout(5) diff --git a/files/routes/comments.py b/files/routes/comments.py index c2f923d52..a24d22fac 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -155,13 +155,14 @@ def comment(v): level = parent.level + 1 if parent.author_id == v.id: rts = True else: abort(400) - + if not parent.can_see(v): abort(404) if parent.deleted_utc != 0: abort(404) - body = request.values.get("body", "").strip().replace('‎','') + if level > COMMENT_MAX_DEPTH: + return {"error": f"Max comment level is {COMMENT_MAX_DEPTH}"}, 400 - body = body.replace('\r\n', '\n')[:COMMENT_BODY_LENGTH_LIMIT] + body = sanitize_raw_body(request.values.get("body", ""), False) if parent_post.id not in ADMIGGERS: if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')): @@ -231,7 +232,7 @@ def comment(v): else: abort(415) - body = body.strip() + body = body.strip()[:COMMENT_BODY_LENGTH_LIMIT] if v.admin_level >= PERMS['SITE_SETTINGS_SNAPPY_QUOTES'] and parent_post.id == SNAPPY_THREAD and level == 1: with open(f"snappy_{SITE_NAME}.txt", "a", encoding="utf-8") as f: @@ -258,7 +259,7 @@ def comment(v): if existing: return {"error": f"You already made that comment: /comment/{existing.id}"}, 409 if parent.author.any_block_exists(v) and v.admin_level < PERMS['POST_COMMENT_MODERATION']: - return {"error": "You can't reply to users who have blocked you, or users you have blocked."}, 403 + return {"error": "You can't reply to users who have blocked you or users that you have blocked."}, 403 is_bot = v.id != 12125 and (bool(request.headers.get("Authorization")) or (SITE == 'pcmemes.net' and v.id == SNAPPY_ID)) @@ -300,10 +301,7 @@ def comment(v): g.db.commit() return {"error": "Too much spam!"}, 403 - if len(body_html) > 20000: abort(400) - - if level > 200: - return {"error": "Max comment level is 200"}, 400 + if len(body_html) > COMMENT_BODY_HTML_LENGTH_LIMIT: abort(400) c = Comment(author_id=v.id, parent_submission=parent_submission, @@ -313,7 +311,7 @@ def comment(v): is_bot=is_bot, app_id=v.client.application.id if v.client else None, body_html=body_html, - body=body[:10000], + body=body, ghost=parent_post.ghost ) @@ -592,17 +590,15 @@ def comment(v): @limiter.limit("1/second;10/minute;100/hour;200/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}') @auth_required def edit_comment(cid, v): - c = get_comment(cid, v=v) if time.time() - c.created_utc > 7*24*60*60 and not (c.post and c.post.private): return {"error":"You can't edit comments older than 1 week!"}, 403 if c.author_id != v.id: abort(403) + if not c.post: abort(403) - body = request.values.get("body", "").strip().replace('‎','') - - body = body.replace('\r\n', '\n')[:10000] + body = sanitize_raw_body(request.values.get("body", ""), False) if len(body) < 1 and not (request.files.get("file") and request.headers.get("cf-ipcountry") != "T1"): return {"error":"You have to actually type something!"}, 400 @@ -666,8 +662,7 @@ def edit_comment(cid, v): return {"error": "Too much spam!"}, 403 body += process_files() - - body = body.strip() + body = body.strip()[:COMMENT_BODY_LENGTH_LIMIT] # process_files potentially adds characters to the post body_for_sanitize = body if v.owoify: @@ -679,12 +674,12 @@ def edit_comment(cid, v): body_html = sanitize(body_for_sanitize, golden=False, limit_pings=5, torture=torture) - if len(body_html) > 20000: abort(400) + if len(body_html) > COMMENT_BODY_HTML_LENGTH_LIMIT: abort(400) if v.marseyawarded and marseyaward_body_regex.search(body_html): return {"error":"You can only type marseys!"}, 403 - c.body = body[:10000] + c.body = body c.body_html = body_html if blackjack and any(i in c.body.lower() for i in blackjack.split()): diff --git a/files/routes/posts.py b/files/routes/posts.py index 37ce2177e..c057028f0 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -412,8 +412,7 @@ def edit_post(pid, v): abort(403) title = sanitize_raw_title(request.values.get("title", "")) - - body = sanitize_raw_body(request.values.get("body", "")) + body = sanitize_raw_body(request.values.get("body", ""), True) if v.id == p.author_id: if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')): @@ -695,8 +694,7 @@ def submit_post(v, sub=None): if '\\' in url: abort(400) title = sanitize_raw_title(request.values.get("title", "")) - - body = sanitize_raw_body(request.values.get("body", "")) + body = sanitize_raw_body(request.values.get("body", ""), True) def error(error): if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": error}, 400