feat: assert request content-type in post apis

2025-01-31 07:11:33 +00:00 · 2022-07-22 08:40:40 +07:00 · 2022-07-22 08:40:40 +07:00 · 776ab8ab37
commit 776ab8ab37
parent aa85d04d34
5 changed files with 35 additions and 0 deletions
--- a/controllers/albumsController.js
+++ b/controllers/albumsController.js
@ -189,6 +189,7 @@ self.list = async (req, res) => {
 }

 self.create = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)

  // Parse POST body
@ -233,16 +234,20 @@ self.create = async (req, res) => {
 }

 self.delete = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  // Parse POST body and re-map for .disable()
  req.body = await req.json()
    .then(obj => {
      obj.del = true
      return obj
    })
+
  return self.disable(req, res)
 }

 self.disable = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)
  const ismoderator = perms.is(user, 'moderator')

@ -316,6 +321,7 @@ self.disable = async (req, res) => {
 }

 self.edit = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)
  const ismoderator = perms.is(user, 'moderator')

@ -418,6 +424,8 @@ self.edit = async (req, res) => {
 }

 self.rename = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  // Parse POST body and re-map for .edit()
  req.body = await req.json()
    .then(obj => {
@ -426,6 +434,7 @@ self.rename = async (req, res) => {
        name: obj.name
      }
    })
+
  return self.edit(req, res)
 }

@ -627,6 +636,7 @@ self.generateZip = async (req, res) => {
 }

 self.addFiles = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)

  // Parse POST body
--- a/controllers/authController.js
+++ b/controllers/authController.js
@ -31,6 +31,8 @@ const self = {
 const saltRounds = 10

 self.verify = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  // Parse POST body
  req.body = await req.json()

@ -63,6 +65,8 @@ self.verify = async (req, res) => {
 }

 self.register = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  // Parse POST body
  req.body = await req.json()

@ -113,6 +117,7 @@ self.register = async (req, res) => {
 }

 self.changePassword = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)

  // Parse POST body
@ -145,6 +150,7 @@ self.assertPermission = (user, target) => {
 }

 self.createUser = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)

  // Parse POST body
@ -210,6 +216,7 @@ self.createUser = async (req, res) => {
 }

 self.editUser = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)

  // Parse POST body, if required
@ -266,6 +273,8 @@ self.editUser = async (req, res) => {
 }

 self.disableUser = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  // Parse POST body and re-map for .editUser()
  req.body = await req.json()
    .then(obj => {
@ -274,10 +283,12 @@ self.disableUser = async (req, res) => {
        enabled: false
      }
    })
+
  return self.editUser(req, res)
 }

 self.deleteUser = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)

  // Parse POST body
--- a/controllers/tokenController.js
+++ b/controllers/tokenController.js
@ -34,6 +34,8 @@ self.generateUniqueToken = async () => {
 }

 self.verify = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  // Parse POST body
  req.body = await req.json()

--- a/controllers/uploadController.js
+++ b/controllers/uploadController.js
@ -626,6 +626,8 @@ self.actuallyUploadUrls = async (req, res, user, data = {}) => {
 /** Chunk uploads */

 self.finishChunks = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  if (!chunkedUploads) {
    throw new ClientError('Chunked upload is disabled.', { statusCode: 403 })
  }
@ -1048,6 +1050,8 @@ self.sendUploadResponse = async (req, res, user, result) => {
 /** Delete uploads */

 self.delete = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
+
  // Parse POST body and re-map for .bulkDelete()
  // Original API used by lolisafe v3's frontend
  // Meanwhile this fork's frontend uses .bulkDelete() straight away
@ -1059,10 +1063,12 @@ self.delete = async (req, res) => {
        values: isNaN(id) ? undefined : [id]
      }
    })
+
  return self.bulkDelete(req, res)
 }

 self.bulkDelete = async (req, res) => {
+  await utils.assertRequestType(req, 'json')
  const user = await utils.authorize(req)

  // Parse POST body, if required
--- a/controllers/utilsController.js
+++ b/controllers/utilsController.js
@ -373,6 +373,12 @@ self.stripIndents = string => {
  return result
 }

+self.assertRequestType = (req, type) => {
+  if (!req.is(type)) {
+    throw new ClientError(`Request type must be ${type.toUpperCase()}.`)
+  }
+}
+
 self.assertUser = async (token, fields) => {
  const _fields = ['id', 'username', 'enabled', 'timestamp', 'permission', 'registration']
  if (typeof fields === 'string') fields = [fields]