From 8212e56fd470985bcb5dca94defc40854fb95894 Mon Sep 17 00:00:00 2001
From: Daniel Schadt <kingdread@gmx.de>
Date: Tue, 10 Dec 2019 13:54:12 +0100
Subject: sanitize ID before accessing or sending to the API

---
 src/api/mod.rs | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

(limited to 'src/api/mod.rs')

diff --git a/src/api/mod.rs b/src/api/mod.rs
index 41034ec..9c771fd 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -121,7 +121,7 @@ impl Api {
         let mut api_ids: Vec<R::Id> = Vec::new();
 
         for id in ids {
-            let cache_path = format!("{}{}", cache_prefix, id.to_string());
+            let cache_path = format!("{}{}", cache_prefix, sanitize_id(&id.to_string()));
             match self.get_cached(cache_path)? {
                 Some(cached) => result.push(cached),
                 None => api_ids.push(id.clone()),
@@ -133,7 +133,11 @@ impl Api {
         }
 
         let url = self.make_url(endpoint);
-        let api_arg = api_ids.iter().map(ToString::to_string).join(",");
+        let api_arg = api_ids
+            .iter()
+            .map(ToString::to_string)
+            .map(|s| sanitize_id(&s))
+            .join(",");
         let resp: Vec<R> = self
             .client
             .get(url)
@@ -212,3 +216,24 @@ impl Api {
         Ok(image::load_from_memory(&img)?)
     }
 }
+
+fn sanitize_id(input: &str) -> String {
+    input.replace(
+        |c: char| {
+            let is_valid = c.is_ascii() && (c.is_digit(10) || c.is_alphabetic());
+            !is_valid
+        },
+        "",
+    )
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_sanitize() {
+        assert_eq!("foobar", sanitize_id("../foo/bar"));
+        assert_eq!("foo1", sanitize_id("foo1"));
+    }
+}
-- 
cgit v1.2.3