From 8d97cb2d0a6e21df1bf5e555a6b36de42ead0b34 Mon Sep 17 00:00:00 2001
From: Arzumify <jliwin98@hectabit.org>
Date: Wed, 26 Jun 2024 18:53:58 +0100
Subject: [PATCH] Made all JSON safe, so that a malformed request cannot cause
 a panic

---
 main.go | 203 ++++++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 169 insertions(+), 34 deletions(-)

diff --git a/main.go b/main.go
index 3d55cd6..9f5421f 100644
--- a/main.go
+++ b/main.go
@@ -325,8 +325,16 @@ func main() {
 			return
 		}
 
-		username := data["username"].(string)
-		password := data["password"].(string)
+		username, ok := data["username"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		password, ok := data["password"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 
 		enableAPIVersion2 := false
 		versionCheck := c.GetHeader("X-Burgernotes-Version")
@@ -374,8 +382,24 @@ func main() {
 		if !enableAPIVersion2 {
 			_, err = conn.Exec("INSERT INTO users (username, password, versionTwoLegacyPassword, created) VALUES (?, ?, ?, ?)", username, hashedPasswd, "nil", strconv.FormatInt(time.Now().Unix(), 10))
 		} else {
-			legacyPassword := data["legacyPassword"].(string)
-			_, err = conn.Exec("INSERT INTO users (username, password, versionTwoLegacyPassword, created) VALUES (?, ?, ?, ?)", username, hashedPasswd, legacyPassword, strconv.FormatInt(time.Now().Unix(), 10))
+			legacyPassword, ok := data["legacyPassword"].(string)
+			if !ok {
+				c.JSON(400, gin.H{"error": "Invalid JSON"})
+				return
+			}
+			salt, err := genSalt(16)
+			if err != nil {
+				log.Println("[ERROR] Unknown in /api/signup genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
+				c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgernotes and refer to the documentation for more info. Your error code is: UNKNOWN-API-SIGNUP-SALT"})
+				return
+			}
+			legacyPasswordHash, err := hash(legacyPassword, salt)
+			if err != nil {
+				log.Println("[ERROR] Unknown in /api/signup hash() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
+				c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgernotes and refer to the documentation for more info. Your error code is: UNKNOWN-API-SIGNUP-HASH"})
+				return
+			}
+			_, err = conn.Exec("INSERT INTO users (username, password, versionTwoLegacyPassword, created) VALUES (?, ?, ?, ?)", username, hashedPasswd, legacyPasswordHash, strconv.FormatInt(time.Now().Unix(), 10))
 		}
 
 		if err != nil {
@@ -419,7 +443,7 @@ func main() {
 
 		enableAPIVersion2 := false
 		enableAPIVersion1 := false
-		version1PasswordChange := data["newpass"].(string)
+		version1PasswordChange, _ := data["newpass"].(string)
 		versionCheck := c.GetHeader("X-Burgernotes-Version")
 		if versionCheck != "" {
 			versionCheckInt, err := strconv.Atoi(versionCheck)
@@ -439,8 +463,16 @@ func main() {
 			}
 		}
 
-		username := data["username"].(string)
-		password := data["password"].(string)
+		username, ok := data["username"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		password, ok := data["password"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 
 		userid, taken, err := checkUsernameTaken(username)
 		if !taken {
@@ -502,8 +534,7 @@ func main() {
 				return
 			}
 		}
-		
-		
+
 		if enableAPIVersion1 && version1PasswordChange != "null" {
 			salt, err := genSalt(16)
 			if err != nil {
@@ -583,8 +614,16 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		legacyPassword := data["legacyPassword"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		legacyPassword, ok := data["legacyPassword"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 		_, userid, err := getSession(token)
 		if err != nil {
 			c.JSON(401, gin.H{"error": "Invalid session"})
@@ -609,8 +648,16 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		newPassword := data["newPassword"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		newPassword, ok := data["newPassword"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -649,7 +696,11 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 		_, userid, err := getSession(token)
 		if err != nil {
 			c.JSON(401, gin.H{"error": "Invalid session"})
@@ -687,7 +738,11 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 		_, userid, err := getSession(token)
 		if err != nil {
 			c.JSON(401, gin.H{"error": "Invalid session"})
@@ -708,7 +763,11 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 		_, userid, err := getSession(token)
 		if err != nil {
 			c.JSON(401, gin.H{"error": "Invalid session"})
@@ -763,7 +822,11 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 		_, userid, err := getSession(token)
 		if err != nil {
 			c.JSON(401, gin.H{"error": "Invalid session"})
@@ -818,8 +881,16 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		notesStr := data["notes"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		notesStr, ok := data["notes"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -855,8 +926,16 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		noteName := data["noteName"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		noteName, ok := data["noteName"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 		_, userid, err := getSession(token)
 		if err != nil {
 			c.JSON(401, gin.H{"error": "Invalid session"})
@@ -887,8 +966,17 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		noteId := int(data["noteId"].(float64))
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		noteIdFloat, ok := data["noteId"].(float64)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		noteId := int(noteIdFloat)
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -924,10 +1012,27 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		noteId := int(data["noteId"].(float64))
-		content := data["content"].(string)
-		title := data["title"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		noteIdFloat, ok := data["noteId"].(float64)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		noteId := int(noteIdFloat)
+		content, ok := data["content"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		title, ok := data["title"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -970,8 +1075,17 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		noteId := int(data["noteId"].(float64))
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		noteIdFloat, ok := data["noteId"].(float64)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		noteId := int(noteIdFloat)
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -1014,7 +1128,11 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -1054,7 +1172,11 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -1114,8 +1236,17 @@ func main() {
 			return
 		}
 
-		token := data["secretKey"].(string)
-		sessionId := int(data["sessionId"].(float64))
+		token, ok := data["secretKey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		sessionIdFloat, ok := data["sessionId"].(float64)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
+		sessionId := int(sessionIdFloat)
 
 		_, userid, err := getSession(token)
 		if err != nil {
@@ -1158,7 +1289,11 @@ func main() {
 			return
 		}
 
-		masterToken := data["masterkey"].(string)
+		masterToken, ok := data["masterkey"].(string)
+		if !ok {
+			c.JSON(400, gin.H{"error": "Invalid JSON"})
+			return
+		}
 		if masterToken == secretKey {
 			rows, err := conn.Query("SELECT id, username, created FROM users ORDER BY id DESC")
 			if err != nil {