From 33a3c455e0f1346390cdd75d9cef997c41ed9e01 Mon Sep 17 00:00:00 2001 From: Mint <> Date: Sun, 27 Nov 2022 23:02:12 +0300 Subject: [PATCH] Prevent single-character search DoS --- api.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/api.py b/api.py index 68be9f2..2aa0613 100644 --- a/api.py +++ b/api.py @@ -34,7 +34,7 @@ def info(): def blocked(domain: str = None, reason: str = None): if domain == None and reason == None: raise HTTPException(status_code=400, detail="No filter specified") - conn = sqlite3.connect("blocks.db") + if domain == None and reason == None: c = conn.cursor() if domain != None: wildchar = "*." + ".".join(domain.split(".")[-domain.count("."):]) @@ -42,7 +42,10 @@ def blocked(domain: str = None, reason: str = None): c.execute("select blocker, blocked, block_level, reason from blocks where blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ?", (domain, "*." + domain, wildchar, get_hash(domain), punycode, "*." + punycode)) else: - c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",)) + if len(reason) < 3: + raise HTTPException(status_code=400, detail="Keyword is shorter than three characters") + else: + c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",)) blocks = c.fetchall() conn.close() -- 2.39.5