fix: possible denial of service via a single (authenticated) request (#442)

2024-07-01 12:26:38 +02:00 · 2024-07-01 12:26:38 +02:00 · 543d94e88e
commit 543d94e88e
parent c778407a91
2 changed files with 7 additions and 5 deletions
--- a/src/controllers/custom/pushArchonCrystalUpgradeController.ts
+++ b/src/controllers/custom/pushArchonCrystalUpgradeController.ts
@ -10,11 +10,13 @@ export const pushArchonCrystalUpgradeController: RequestHandler = async (req, re
    if (suit) {
        suit.ArchonCrystalUpgrades ??= [];
        const count = (req.query.count as number | undefined) ?? 1;
-        for (let i = 0; i != count; ++i) {
-            suit.ArchonCrystalUpgrades.push({ UpgradeType: req.query.type as string });
+        if (count >= 1 && count <= 10000) {
+            for (let i = 0; i != count; ++i) {
+                suit.ArchonCrystalUpgrades.push({ UpgradeType: req.query.type as string });
+            }
+            await inventory.save();
+            res.end();
        }
-        await inventory.save();
-        res.end();
    }
    res.status(400).end();
 };
--- a/static/webui/index.html
+++ b/static/webui/index.html
@ -114,7 +114,7 @@
                    <div class="card-body">
                        <p>You can use these unlimited slots to apply a wide range of upgrades.</p>
                        <form class="input-group mb-3" onsubmit="doPushArchonCrystalUpgrade();return false;">
-                            <input type="number" id="archon-crystal-add-count" min="1" value="1" class="form-control" style="max-width:100px" />
+                            <input type="number" id="archon-crystal-add-count" min="1" max="10000" value="1" class="form-control" style="max-width:100px" />
                            <span class="input-group-text">x</span>
                            <input class="form-control" list="datalist-archonCrystalUpgrades" />
                            <button class="btn btn-primary" type="submit">Add</button>