VALIDATION

Signed-off-by: roxwize <rae@roxwize.xyz>
2025-05-07 22:13:07 +00:00 · 2025-01-28 22:52:18 -05:00 · 2025-01-28 22:52:18 -05:00 · 65c29b0564
commit 65c29b0564
parent 0015f4bb86
5 changed files with 27 additions and 8 deletions
--- a/routes/login.ts
+++ b/routes/login.ts
@ -1,12 +1,10 @@
 import { Express } from "express";
 import bcrypt from "bcrypt";
-import { render } from "./util.js";
+import { render, validateEmail } from "./util.js";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
 import { follows, inviteCodes, profiles, users } from "../db/schema.js";
 import { eq } from "drizzle-orm";

-//! TEMP Also not sanitized like at all
-//! Also make sure user isnt logged in before doing this
 export default function(app: Express, db: NodePgDatabase) {
  app.get("/register", (req, res) => {
    if (req.session["loggedIn"]) {
@ -41,6 +39,11 @@ export default function(app: Express, db: NodePgDatabase) {
      res.redirect("/register");
      return;
    }
+    if (!validateEmail(req.body.email)) {
+      req.flash("error", "That email is invalid or malformed.");
+      res.redirect("/register");
+      return;
+    }

    //! dumb
    req.body.name = req.body.name.trim();
@ -101,7 +104,7 @@ export default function(app: Express, db: NodePgDatabase) {
        //@ts-expect-error
        .values({
          name: req.body.name,
-          email: req.body.email, //! Not actually validating this like at all???
+          email: req.body.email,
          pass: hash,
          status: code.confers,
          registered: new Date(Date.now())
--- a/routes/users.ts
+++ b/routes/users.ts
@ -8,7 +8,7 @@ import {
    users
 } from "../db/schema.js";
 import { and, desc, eq, ne } from "drizzle-orm";
-import { getMoods, render, render404, UserStatus } from "./util.js";
+import { getMoods, render, render404, UserStatus, validateUrl } from "./util.js";
 import { PgColumn } from "drizzle-orm/pg-core";
 import dayjs from "dayjs";

@ -139,6 +139,11 @@ export default async function (app: Express, db: NodePgDatabase) {
            res.redirect("/login");
            return;
        }
+        if (!validateUrl(req.body.website)) {
+            req.flash("error", "The website URL provided is invalid or malformed.");
+            res.redirect(req.get("Referrer") || "/");
+            return;
+        }
        const { uname } = (
            await db
                .select({ uname: users.name })
@ -153,7 +158,7 @@ export default async function (app: Express, db: NodePgDatabase) {
            return;
        }

-        await db //! no sanitization here either BROOOOOOO
+        await db
            .update(profiles)
            .set({
                // @ts-expect-error
--- a/routes/util.ts
+++ b/routes/util.ts
@ -140,3 +140,12 @@ export function confirm(
 ) {
    render(db, "confirm", "Confirm action", res, req, { body: req.body, url: req.url });
 }
+
+const emailRegex = /^([^\x00-\x20\x22\x28\x29\x2c\x2e\x3a-\x3c\x3e\x40\x5b-\x5d\x7f-\xff]+|\x22([^\x0d\x22\x5c\x80-\xff]|\x5c[\x00-\x7f])*\x22)(\x2e([^\x00-\x20\x22\x28\x29\x2c\x2e\x3a-\x3c\x3e\x40\x5b-\x5d\x7f-\xff]+|\x22([^\x0d\x22\x5c\x80-\xff]|\x5c[\x00-\x7f])*\x22))*\x40([^\x00-\x20\x22\x28\x29\x2c\x2e\x3a-\x3c\x3e\x40\x5b-\x5d\x7f-\xff]+|\x5b([^\x0d\x5b-\x5d\x80-\xff]|\x5c[\x00-\x7f])*\x5d)(\x2e([^\x00-\x20\x22\x28\x29\x2c\x2e\x3a-\x3c\x3e\x40\x5b-\x5d\x7f-\xff]+|\x5b([^\x0d\x5b-\x5d\x80-\xff]|\x5c[\x00-\x7f])*\x5d))*$/i;
+const urlRegex = /https?:\/\/(?:www\.)?(?:[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b)*(?:\/[\/\d\w\.-]*)*(?:[\?])*(?:.+)*/i;
+export function validateEmail(email: string) {
+    return emailRegex.test(email);
+}
+export function validateUrl(url: string) {
+    return urlRegex.test(url);
+}