mtd/AstralRinth
1
0
Fork 0
forked from didirus/AstralRinth
Code Pull Requests Activity

Fix rejected files showing in hash routes (#375)

Browse Source 
* Fix rejected files showing in hash routes

* Run prepare and formatter

* Add modrinth.com exception for callback URLs

* run fmt
This commit is contained in:
Geometrically
2022-06-18 14:09:37 -07:00
committed by GitHub
parent 782bb11894
commit cd514285d9
8 changed files with 237 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/routes/auth.rs
View File

@@ -1,4 +1,4 @@
/*!
/*!
This auth module is primarily for use within the main website. Applications interacting with the
authenticated API (a very small portion - notifications, private projects, editing/creating projects
and versions) should either retrieve the Modrinth GitHub token through the site, or create a personal
@@ -16,6 +16,7 @@ use crate::models::error::ApiError;
use crate::models::ids::base62_impl::{parse_base62, to_base62};
use crate::models::ids::DecodingError;
use crate::models::users::Role;
use crate::parse_strings_from_var;
use crate::util::auth::get_github_user_from_token;
use actix_web::http::StatusCode;
use actix_web::web::{scope, Data, Query, ServiceConfig};
@@ -24,7 +25,6 @@ use serde::{Deserialize, Serialize};
use sqlx::postgres::PgPool;
use thiserror::Error;
use time::OffsetDateTime;
use crate::parse_strings_from_var;
pub fn config(cfg: &mut ServiceConfig) {
cfg.service(scope("auth").service(auth_callback).service(init));
@@ -82,7 +82,7 @@ impl actix_web::ResponseError for AuthorizationError {
AuthorizationError::Decoding(..) => "decoding_error",
AuthorizationError::Authentication(..) => {
"authentication_error"
},
}
AuthorizationError::Url => "url_error",
},
description: &self.to_string(),
@@ -114,13 +114,16 @@ pub async fn init(
Query(info): Query<AuthorizationInit>,
client: Data<PgPool>,
) -> Result<HttpResponse, AuthorizationError> {
let url = url::Url::parse(&info.url).map_err(|_| AuthorizationError::Url)?;
let url =
url::Url::parse(&info.url).map_err(|_| AuthorizationError::Url)?;
let allowed_callback_urls = parse_strings_from_var("ALLOWED_CALLBACK_URLS")
.unwrap_or_default();
let allowed_callback_urls =
parse_strings_from_var("ALLOWED_CALLBACK_URLS").unwrap_or_default();
let domain = url.domain().ok_or(AuthorizationError::Url)?;
if !allowed_callback_urls.iter().any(|x| domain.ends_with(x)) {
if !allowed_callback_urls.iter().any(|x| domain.ends_with(x))
|| domain == "modrinth.com"
{
return Err(AuthorizationError::Url);
}

47
src/routes/version_file.rs
View File

@@ -34,12 +34,17 @@ pub async fn get_version_from_hash(
let result = sqlx::query!(
"
SELECT f.version_id version_id FROM hashes h
SELECT f.version_id version_id
FROM hashes h
INNER JOIN files f ON h.file_id = f.id
WHERE h.algorithm = $2 AND h.hash = $1
INNER JOIN versions v on f.version_id = v.id
INNER JOIN mods m on v.mod_id = m.id
INNER JOIN statuses s on m.status = s.id
WHERE h.algorithm = $2 AND h.hash = $1 AND s.status != $3
",
hash.as_bytes(),
algorithm.algorithm
algorithm.algorithm,
models::projects::ProjectStatus::Rejected.to_string()
)
.fetch_optional(&**pool)
.await?;
@@ -81,10 +86,13 @@ pub async fn download_version(
SELECT f.url url, f.id id, f.version_id version_id, v.mod_id project_id FROM hashes h
INNER JOIN files f ON h.file_id = f.id
INNER JOIN versions v ON v.id = f.version_id
WHERE h.algorithm = $2 AND h.hash = $1
INNER JOIN mods m on v.mod_id = m.id
INNER JOIN statuses s on m.status = s.id
WHERE h.algorithm = $2 AND h.hash = $1 AND s.status != $3
",
hash.as_bytes(),
algorithm.algorithm
algorithm.algorithm,
models::projects::ProjectStatus::Rejected.to_string()
)
.fetch_optional(&mut *transaction)
.await?;
@@ -242,10 +250,13 @@ pub async fn get_update_from_hash(
SELECT v.mod_id project_id FROM hashes h
INNER JOIN files f ON h.file_id = f.id
INNER JOIN versions v ON v.id = f.version_id
WHERE h.algorithm = $2 AND h.hash = $1
INNER JOIN mods m on v.mod_id = m.id
INNER JOIN statuses s on m.status = s.id
WHERE h.algorithm = $2 AND h.hash = $1 AND s.status != $3
",
hash.as_bytes(),
algorithm.algorithm
algorithm.algorithm,
models::projects::ProjectStatus::Rejected.to_string()
)
.fetch_optional(&**pool)
.await?;
@@ -310,10 +321,14 @@ pub async fn get_versions_from_hashes(
"
SELECT h.hash hash, h.algorithm algorithm, f.version_id version_id FROM hashes h
INNER JOIN files f ON h.file_id = f.id
WHERE h.algorithm = $2 AND h.hash = ANY($1::bytea[])
INNER JOIN versions v ON v.id = f.version_id
INNER JOIN mods m on v.mod_id = m.id
INNER JOIN statuses s on m.status = s.id
WHERE h.algorithm = $2 AND h.hash = ANY($1::bytea[]) AND s.status != $3
",
hashes_parsed.as_slice(),
file_data.algorithm
file_data.algorithm,
models::projects::ProjectStatus::Rejected.to_string()
)
.fetch_all(&**pool)
.await?;
@@ -370,10 +385,13 @@ pub async fn download_files(
SELECT f.url url, h.hash hash, h.algorithm algorithm, f.version_id version_id, v.mod_id project_id FROM hashes h
INNER JOIN files f ON h.file_id = f.id
INNER JOIN versions v ON v.id = f.version_id
WHERE h.algorithm = $2 AND h.hash = ANY($1::bytea[])
INNER JOIN mods m on v.mod_id = m.id
INNER JOIN statuses s on m.status = s.id
WHERE h.algorithm = $2 AND h.hash = ANY($1::bytea[]) AND s.status != $3
",
hashes_parsed.as_slice(),
file_data.algorithm
file_data.algorithm,
models::projects::ProjectStatus::Rejected.to_string()
)
.fetch_all(&mut *transaction)
.await?;
@@ -421,10 +439,13 @@ pub async fn update_files(
SELECT f.url url, h.hash hash, h.algorithm algorithm, f.version_id version_id, v.mod_id project_id FROM hashes h
INNER JOIN files f ON h.file_id = f.id
INNER JOIN versions v ON v.id = f.version_id
WHERE h.algorithm = $2 AND h.hash = ANY($1::bytea[])
INNER JOIN mods m on v.mod_id = m.id
INNER JOIN statuses s on m.status = s.id
WHERE h.algorithm = $2 AND h.hash = ANY($1::bytea[]) AND s.status != $3
",
hashes_parsed.as_slice(),
update_data.algorithm
update_data.algorithm,
models::projects::ProjectStatus::Rejected.to_string()
)
.fetch_all(&mut *transaction)
.await?;