From 543d94e88ed4c160e622dea37e993a4b38947346 Mon Sep 17 00:00:00 2001 From: Sainan Date: Mon, 1 Jul 2024 12:26:38 +0200 Subject: [PATCH] fix: possible denial of service via a single (authenticated) request (#442) --- .../custom/pushArchonCrystalUpgradeController.ts | 10 ++++++---- static/webui/index.html | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/controllers/custom/pushArchonCrystalUpgradeController.ts b/src/controllers/custom/pushArchonCrystalUpgradeController.ts index cbe1023d..c12ea584 100644 --- a/src/controllers/custom/pushArchonCrystalUpgradeController.ts +++ b/src/controllers/custom/pushArchonCrystalUpgradeController.ts @@ -10,11 +10,13 @@ export const pushArchonCrystalUpgradeController: RequestHandler = async (req, re if (suit) { suit.ArchonCrystalUpgrades ??= []; const count = (req.query.count as number | undefined) ?? 1; - for (let i = 0; i != count; ++i) { - suit.ArchonCrystalUpgrades.push({ UpgradeType: req.query.type as string }); + if (count >= 1 && count <= 10000) { + for (let i = 0; i != count; ++i) { + suit.ArchonCrystalUpgrades.push({ UpgradeType: req.query.type as string }); + } + await inventory.save(); + res.end(); } - await inventory.save(); - res.end(); } res.status(400).end(); }; diff --git a/static/webui/index.html b/static/webui/index.html index 5b49578e..505c3665 100644 --- a/static/webui/index.html +++ b/static/webui/index.html @@ -114,7 +114,7 @@

You can use these unlimited slots to apply a wide range of upgrades.

- + x