From 8212e56fd470985bcb5dca94defc40854fb95894 Mon Sep 17 00:00:00 2001 From: Daniel Schadt Date: Tue, 10 Dec 2019 13:54:12 +0100 Subject: sanitize ID before accessing or sending to the API --- src/api/mod.rs | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) (limited to 'src/api') diff --git a/src/api/mod.rs b/src/api/mod.rs index 41034ec..9c771fd 100644 --- a/src/api/mod.rs +++ b/src/api/mod.rs @@ -121,7 +121,7 @@ impl Api { let mut api_ids: Vec = Vec::new(); for id in ids { - let cache_path = format!("{}{}", cache_prefix, id.to_string()); + let cache_path = format!("{}{}", cache_prefix, sanitize_id(&id.to_string())); match self.get_cached(cache_path)? { Some(cached) => result.push(cached), None => api_ids.push(id.clone()), @@ -133,7 +133,11 @@ impl Api { } let url = self.make_url(endpoint); - let api_arg = api_ids.iter().map(ToString::to_string).join(","); + let api_arg = api_ids + .iter() + .map(ToString::to_string) + .map(|s| sanitize_id(&s)) + .join(","); let resp: Vec = self .client .get(url) @@ -212,3 +216,24 @@ impl Api { Ok(image::load_from_memory(&img)?) } } + +fn sanitize_id(input: &str) -> String { + input.replace( + |c: char| { + let is_valid = c.is_ascii() && (c.is_digit(10) || c.is_alphabetic()); + !is_valid + }, + "", + ) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_sanitize() { + assert_eq!("foobar", sanitize_id("../foo/bar")); + assert_eq!("foo1", sanitize_id("foo1")); + } +} -- cgit v1.2.3