From f4b699f387209eef357a036191030ec092cc54b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Tron=C3=AD=C4=8Dek?= <filip@gitpod.io>
Date: Sun, 7 Jan 2024 22:14:02 +0000
Subject: [PATCH] Validate clip format

---
 Cargo.lock  | 44 +++++++++++++++++++++++++++++++++++++-------
 Cargo.toml  |  1 +
 src/main.rs | 18 ++++++++++++++++++
 3 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 662fa20..8588829 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2,6 +2,15 @@
 # It is not intended for manual editing.
 version = 3
 
+[[package]]
+name = "aho-corasick"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2969dcb958b36655471fc61f7e416fa76033bdd4bfed0678d8fee1e2d07a1f0"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "android_system_properties"
 version = "0.1.5"
@@ -661,6 +670,7 @@ dependencies = [
  "git2",
  "log",
  "rand",
+ "regex",
  "rocket",
  "serde",
  "serde_json",
@@ -827,14 +837,14 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558"
 dependencies = [
- "regex-automata",
+ "regex-automata 0.1.10",
 ]
 
 [[package]]
 name = "memchr"
-version = "2.5.0"
+version = "2.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
+checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149"
 
 [[package]]
 name = "mime"
@@ -1120,11 +1130,14 @@ dependencies = [
 
 [[package]]
 name = "regex"
-version = "1.7.2"
+version = "1.10.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cce168fea28d3e05f158bda4576cf0c844d5045bc2cc3620fa0292ed5bb5814c"
+checksum = "380b951a9c5e80ddfd6136919eef32310721aa4aacd4889a8d39124b026ab343"
 dependencies = [
- "regex-syntax",
+ "aho-corasick",
+ "memchr",
+ "regex-automata 0.4.3",
+ "regex-syntax 0.8.2",
 ]
 
 [[package]]
@@ -1133,7 +1146,18 @@ version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
 dependencies = [
- "regex-syntax",
+ "regex-syntax 0.6.29",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f804c7828047e88b2d32e2d7fe5a105da8ee3264f01902f796c8e067dc2483f"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax 0.8.2",
 ]
 
 [[package]]
@@ -1142,6 +1166,12 @@ version = "0.6.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
 
+[[package]]
+name = "regex-syntax"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f"
+
 [[package]]
 name = "rocket"
 version = "0.5.0"
diff --git a/Cargo.toml b/Cargo.toml
index da05807..56600fd 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -18,6 +18,7 @@ fern = "0.5"
 git2 = "0.16.1"
 dotenv = "0.15.0"
 diesel = { version = "2.1.4", features = ["postgres", "chrono"] }
+regex = "1.10"
 
 [dependencies.rocket]
 version = "0.5.0"
diff --git a/src/main.rs b/src/main.rs
index 87f0fe8..415164f 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -2,6 +2,7 @@ mod models;
 mod schema;
 mod utils;
 
+use regex::Regex;
 use rocket::http::Status;
 use rocket::response::status::Custom;
 use utils::id::gen_id;
@@ -138,6 +139,14 @@ fn set_clip(
         }
     };
 
+    if url.scheme() != "http" && url.scheme() != "https" {
+        let response = APIResponse {
+            status: APIStatus::Error,
+            result: "Invalid URL scheme".to_string(),
+        };
+        return Err(Custom(Status::BadRequest, Json(response)));
+    }
+
     let mut db_connection = match db::initialize() {
         Ok(conn) => conn,
         Err(err) => {
@@ -204,6 +213,15 @@ fn get_clip(
         return Err(Custom(Status::BadRequest, Json(response)));
     }
 
+    let code_pattern = Regex::new(r"^(?i)[A-Z0-9]{5}$").unwrap();
+    if !code_pattern.is_match(code.as_str()) {
+        let response = APIResponse {
+            status: APIStatus::Error,
+            result: "Invalid clip code format".to_string(),
+        };
+        return Err(Custom(Status::BadRequest, Json(response)));
+    }
+
     let mut db_connection = match db::initialize() {
         Ok(conn) => conn,
         Err(err) => {