From d0f1fe5c06bd37d1fb49de1951893e6501c91043 Mon Sep 17 00:00:00 2001 From: Mint <> Date: Tue, 29 Nov 2022 22:36:46 +0300 Subject: [PATCH] Additional query DoS mitigation --- api.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/api.py b/api.py index c9b1b39..fbbd4da 100644 --- a/api.py +++ b/api.py @@ -5,6 +5,7 @@ from hashlib import sha256 from fastapi.templating import Jinja2Templates from requests import get from json import loads +from re import sub with open("config.json") as f: config = loads(f.read()) @@ -34,6 +35,10 @@ def info(): def blocked(domain: str = None, reason: str = None): if domain == None and reason == None: raise HTTPException(status_code=400, detail="No filter specified") + if reason != None: + reason = sub("(%|_)", "", reason) + if len(reason) < 3: + raise HTTPException(status_code=400, detail="Keyword is shorter than three characters") conn = sqlite3.connect("blocks.db") c = conn.cursor() if domain != None: @@ -42,10 +47,7 @@ def blocked(domain: str = None, reason: str = None): c.execute("select blocker, blocked, block_level, reason from blocks where blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ?", (domain, "*." + domain, wildchar, get_hash(domain), punycode, "*." + punycode)) else: - if len(reason) < 3: - raise HTTPException(status_code=400, detail="Keyword is shorter than three characters") - else: - c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",)) + c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",)) blocks = c.fetchall() conn.close() -- 2.39.5