OpenWF/SpaceNinjaServer
12
6
Fork 15
Code Issues 41 Pull Requests 3 Actions Packages Projects Releases Activity

fix: possible denial of service via a single (authenticated) request #442

Merged
Sainan merged 1 commits from dos into main 2024-07-01 03:26:38 -07:00
Conversation 0 Commits 1 Files Changed 2 +7 -5
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/controllers/custom/pushArchonCrystalUpgradeController.ts
View File

@ -10,11 +10,13 @@ export const pushArchonCrystalUpgradeController: RequestHandler = async (req, re
if (suit) {
suit.ArchonCrystalUpgrades ??= [];
const count = (req.query.count as number | undefined) ?? 1;
for (let i = 0; i != count; ++i) {
suit.ArchonCrystalUpgrades.push({ UpgradeType: req.query.type as string });
if (count >= 1 && count <= 10000) {
for (let i = 0; i != count; ++i) {
suit.ArchonCrystalUpgrades.push({ UpgradeType: req.query.type as string });
}
await inventory.save();
res.end();
}
await inventory.save();
res.end();
}
res.status(400).end();
};

2
static/webui/index.html
View File

@ -114,7 +114,7 @@
<div class="card-body">
<p>You can use these unlimited slots to apply a wide range of upgrades.</p>
<form class="input-group mb-3" onsubmit="doPushArchonCrystalUpgrade();return false;">
<input type="number" id="archon-crystal-add-count" min="1" value="1" class="form-control" style="max-width:100px" />
<input type="number" id="archon-crystal-add-count" min="1" max="10000" value="1" class="form-control" style="max-width:100px" />
<span class="input-group-text">x</span>
<input class="form-control" list="datalist-archonCrystalUpgrades" />
<button class="btn btn-primary" type="submit">Add</button>