Prevent single-character search DoS

author Mint <>

Sun, 27 Nov 2022 20:02:12 +0000 (23:02 +0300)

committer Mint <>

Sun, 27 Nov 2022 20:02:12 +0000 (23:02 +0300)
author Mint <>
Sun, 27 Nov 2022 20:02:12 +0000 (23:02 +0300)
committer Mint <>
Sun, 27 Nov 2022 20:02:12 +0000 (23:02 +0300)
diff --git a/api.py b/api.py

index 68be9f2aaef469b5db700d75a0ddde0d05057473..2aa0613219707e7789fb629d66197eccb035505b 100644 (file)
--- a/api.py
+++ b/api.py
@@ -34,7 +34,7 @@ def info():
  def blocked(domain: str = None, reason: str = None):
      if domain == None and reason == None:
          raise HTTPException(status_code=400, detail="No filter specified")
-    conn = sqlite3.connect("blocks.db")
+    if domain == None and reason == None:
      c = conn.cursor()
      if domain != None:
          wildchar = "*." + ".".join(domain.split(".")[-domain.count("."):])
@@ -42,7 +42,10 @@ def blocked(domain: str = None, reason: str = None):
          c.execute("select blocker, blocked, block_level, reason from blocks where blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ?",
                    (domain, "*." + domain, wildchar, get_hash(domain), punycode, "*." + punycode))
      else:
-        c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",))
+        if len(reason) < 3:
+            raise HTTPException(status_code=400, detail="Keyword is shorter than three characters")
+        else:
+            c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",))
      blocks = c.fetchall()
      conn.close()
author	Mint <>
	Sun, 27 Nov 2022 20:02:12 +0000 (23:02 +0300)
committer	Mint <>
	Sun, 27 Nov 2022 20:02:12 +0000 (23:02 +0300)