Fix personal info validation

Serious-senpai · Oct 1, 2024 · 8b94db3 · 8b94db3
1 parent f25621b
commit 8b94db3
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 23 deletions.
diff --git a/server/models/reg_request.py b/server/models/reg_request.py
@@ -11,7 +11,16 @@
 from ..config import DB_PAGINATION_QUERY
 from ..database import Database
 from ..errors import BadRequest, UsernameConflictError
-from ..utils import generate_id, hash_password
+from ..utils import (
+    generate_id,
+    hash_password,
+    validate_name,
+    validate_room,
+    validate_phone,
+    validate_email,
+    validate_username,
+    validate_password,
+)
 
 
 __all__ = ("RegisterRequest",)
@@ -152,35 +161,25 @@ async def create(
         raise_http_exception: bool = True,
     ) -> Optional[RegisterRequest]:
         # Validate data
-        if phone is not None and len(phone) == 0:
+        if phone is None or len(phone) == 0:
             phone = None
 
-        if email is not None and len(email) == 0:
+        if email is None or len(email) == 0:
             email = None
 
         if (
-            len(name) == 0
-            or len(name) > 255
-            or room < 0
-            or room > 32767
-            or (phone is not None and (len(phone) > 15 or not phone.isdigit()))
-            or (email is not None and len(email) > 255)
-            or len(username) == 0
-            or len(username) > 255
-            or len(password) < 8
-            or len(password) > 255
+            not validate_name(name)
+            or not validate_room(room)
+            or (phone is not None and not validate_phone(phone))
+            or (email is not None and not validate_email(email))
+            or not validate_username(username)
+            or not validate_password(password)
         ):
             if raise_http_exception:
                 raise BadRequest
 
             return None
 
-        if email is not None and re.fullmatch(r"[\w\.-]+@[\w\.-]+\.[\w\.]+[\w\.]?", email) is None:
-            if raise_http_exception:
-                raise BadRequest
-
-            return None
-
         hashed_password = hash_password(password)
         async with Database.instance.pool.acquire() as connection:
             async with connection.cursor() as cursor:
@@ -232,16 +231,22 @@ async def query(
             where.append("request_id = ?")
             params.append(id)
 
-        if name is not None and len(name) > 0:
+        if name is not None:
+            if not validate_name(name):
+                return []
+
             where.append("CHARINDEX(?, name) > 0")
             params.append(name)
 
         if room is not None:
+            if not validate_room(room):
+                return []
+
             where.append("room = ?")
             params.append(room)
 
         if username is not None:
-            if len(username) == 0:
+            if not validate_username(username):
                 return []
 
             where.append("username = ?")

diff --git a/server/models/residents.py b/server/models/residents.py
@@ -7,6 +7,11 @@
 from .snowflake import Snowflake
 from ..config import DB_PAGINATION_QUERY
 from ..database import Database
+from ..utils import (
+    validate_name,
+    validate_room,
+    validate_username,
+)
 
 
 __all__ = ("Resident",)
@@ -50,16 +55,22 @@ async def query(
             where.append("resident_id = ?")
             params.append(id)
 
-        if name is not None and len(name) > 0:
+        if name is not None:
+            if len(name) == 0 or len(name) > 255:
+                return []
+
             where.append("CHARINDEX(?, name) > 0")
             params.append(name)
 
         if room is not None:
+            if not validate_room(room):
+                return []
+
             where.append("room = ?")
             params.append(room)
 
         if username is not None:
-            if len(username) == 0:
+            if not validate_username(username):
                 return []
 
             where.append("username = ?")

diff --git a/server/utils.py b/server/utils.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import re
 import secrets
 import string
 from datetime import datetime, timedelta, timezone
@@ -17,6 +18,12 @@
     "from_epoch",
     "snowflake_time",
     "generate_id",
+    "validate_name",
+    "validate_room",
+    "validate_phone",
+    "validate_email",
+    "validate_username",
+    "validate_password",
 )
 
 
@@ -81,3 +88,27 @@ def generate_id(cls) -> int:
 
 
 generate_id = __IDGenerator.generate_id
+
+
+def validate_name(name: str) -> bool:
+    return len(name) > 0 and len(name) < 256
+
+
+def validate_room(room: int) -> bool:
+    return room >= 0 and room < 32768
+
+
+def validate_phone(phone: str) -> bool:
+    return phone.isdigit() and len(phone) < 16
+
+
+def validate_email(email: str) -> bool:
+    return re.fullmatch(r"[\w\.-]+@[\w\.-]+\.[\w\.]+[\w\.]?", email) is not None and len(email) < 256
+
+
+def validate_username(username: str) -> bool:
+    return len(username) > 0 and len(username) < 256
+
+
+def validate_password(password: str) -> bool:
+    return len(password) >= 8 and len(password) < 256