Leahnaya/DeathGarden_API_Rebirth
0
0
Fork 0
mirror of https://github.com/wolfswolke/DeathGarden_API_Rebirth.git synced 2026-04-24 23:17:13 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added Input sanitizer to all user input

Browse Source
This commit is contained in:
ZKWolf 2023-09-27 23:25:26 +02:00
parent 22ca19aaf7
commit a730a18670
8 changed files with 103 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/endpoints/general.py
View File

@ -12,13 +12,13 @@ def gamenews():
# /gamenews/messages?sortDesc=true&gameVersion=0&platform=PC&language=EN&messageType=InGameNews&faction=Runner&playerLevel=1
try:
sort_desc = request.args.get('sortDesc')
gameVersion = request.args.get('gameVersion')
platform = request.args.get('platform')
language = request.args.get('language')
messageType = request.args.get('messageType')
faction = request.args.get('faction')
playerLevel = request.args.get('playerLevel')
sort_desc = sanitize_input(request.args.get('sortDesc'))
gameVersion = sanitize_input(request.args.get('gameVersion'))
platform = sanitize_input(request.args.get('platform'))
language = sanitize_input(request.args.get('language'))
messageType = sanitize_input(request.args.get('messageType'))
faction = sanitize_input(request.args.get('faction'))
playerLevel = sanitize_input(request.args.get('playerLevel'))
output = json.load(open(os.path.join(app.root_path, "json", "placeholders", "gamenews.json"), "r"))
return jsonify(output)
except TimeoutError:
@ -30,7 +30,7 @@ def gamenews():
@app.route("/api/v1/config/VER_LATEST_CLIENT_DATA", methods=["GET"])
def config_ver_latest_client_data():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -43,13 +43,14 @@ def config_ver_latest_client_data():
@app.route("/api/v1/utils/contentVersion/latest/<version>", methods=["GET"])
def content_version_latest(version):
version_san = sanitize_input(version)
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
print("Responded to content version api call GET")
print(f"Version called by client: {version}")
print(f"Version called by client: {version_san}")
return jsonify({"LatestSupportedVersion": "te-18f25613-36778-ue4-374f864b"})
except TimeoutError:
return jsonify({"status": "error"})
@ -174,7 +175,7 @@ def services_tex():
@app.route("/api/v1/consent/eula2", methods=["PUT", "GET"])
def consent_eula():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -190,11 +191,6 @@ def consent_eula():
logger.graylog_logger(level="error", handler="general-consent-eula",
message=f"Error in consent_eula: {e}")
elif request.method == "GET":
if request.cookies.get('bhvrSession') is None:
return jsonify({"Userid": userid, "ConsentList": [{"ConsentId": "ZKApi", "isGiven": True,
"UpdatedDate": 1689714606, "AttentionNeeded": False,
"LatestVersion": "ZKApi"}]})
session_cookie = request.cookies.get("bhvrSession")
if not session_cookie:
return jsonify({"message": "Endpoint not found"}), 404
userid = session_manager.get_user_id(session_cookie)
@ -225,7 +221,7 @@ def consent_eula():
@app.route("/api/v1/consent/eula", methods=["GET"])
def consent_eula0():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -240,7 +236,7 @@ def consent_eula0():
@app.route("/api/v1/consent/privacyPolicy", methods=["GET"])
def privacy_policy():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -255,7 +251,7 @@ def privacy_policy():
@app.route("/api/v1/extensions/leaderboard/getScores", methods=["GET", "POST"])
def leaderboard_get_scores():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
if request.method == "POST":
@ -283,7 +279,7 @@ def submit():
@app.route("/api/v1/extensions/quitters/getQuitterState", methods=["POST"])
def get_quitter_state():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:

71
src/endpoints/matchmaking.py
View File

@ -24,14 +24,14 @@ def queue_info():
try:
# ?category=Steam-te-23ebf96c-27498-ue4-7172a3f5&gameMode=Default&region=US&countA=1&countB=5
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
category = request.args.get("category")
game_mode = request.args.get("gameMode")
region = request.args.get("region")
category = sanitize_input(request.args.get("category"))
game_mode = sanitize_input(request.args.get("gameMode"))
region = sanitize_input(request.args.get("region"))
count_a = request.args.get("countA") # Hunter Count
count_b = request.args.get("countB") # Runner Count
side = request.args.get("side", "")
side = sanitize_input(request.args.get("side", ""))
session = matchmaking_queue.getSession(userid)
if region == "DEV":
return jsonify({"A": {"Size": 1, "ETA": 100, "stable": True}, "B": {"Size": 5, "ETA": 100, "stable": True},
@ -57,17 +57,17 @@ def queue():
# {"category":"Steam-te-18f25613-36778-ue4-374f864b","rank":1,"side":"B","latencies":[],"additionalUserIds":[],
# "checkOnly":false,"gameMode":"08d2279d2ed3fba559918aaa08a73fa8-Default","region":"US","countA":1,"countB":5}
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
category = request.json.get("category")
category = sanitize_input(request.json.get("category"))
rank = request.json.get("rank")
side = request.json.get("side")
latencies = request.json.get("latencies")
side = sanitize_input(request.json.get("side"))
latencies = sanitize_input("latencies")
additional_user_ids = request.json.get("additionalUserIds")
check_only = request.json.get("checkOnly") # False = Searching. True = Is searching and waiting for match
game_mode = request.json.get("gameMode")
region = request.json.get("region")
game_mode = sanitize_input(request.json.get("gameMode"))
region = sanitize_input(request.json.get("region"))
count_a = request.json.get("countA")
count_b = request.json.get("countB")
spoofed_match_id = "0051681e-72ce-46f0-bda2-752e471d0d08"
@ -141,7 +141,7 @@ def queue():
@app.route("/api/v1/queue/cancel", methods=["POST"])
def cancel_queue():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -153,10 +153,11 @@ def cancel_queue():
return "", 204
@app.route("/api/v1/match/<matchid>", methods=["GET"])
def match(matchid):
@app.route("/api/v1/match/<matchid_unsanitized>", methods=["GET"])
def match(matchid_unsanitized):
matchid = sanitize_input(matchid_unsanitized)
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
if matchid == "0051681e-72ce-46f0-bda2-752e471d0d08":
return jsonify({"MatchId": matchid, "Category": "Steam-te-18f25613-36778-ue4-374f864b", "Rank": 1})
@ -168,10 +169,11 @@ def match(matchid):
return jsonify({"message": "Internal Server Error"}), 500
@app.route("/api/v1/match/<matchid>/Kill", methods=["PUT"])
def match_kill(matchid):
@app.route("/api/v1/match/<matchid_unsanitized>/Kill", methods=["PUT"])
def match_kill(matchid_unsanitized):
matchid = sanitize_input(matchid_unsanitized)
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
lobby, _ = matchmaking_queue.getLobbyById(matchid)
@ -189,12 +191,13 @@ def match_kill(matchid):
return jsonify({"message": "Internal Server Error"}), 500
@app.route("/api/v1/match/<match_id>/register", methods=["POST"])
def match_register(match_id):
@app.route("/api/v1/match/<match_id_unsanitized>/register", methods=["POST"])
def match_register(match_id_unsanitized):
try:
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
match_id = sanitize_input(match_id_unsanitized)
logger.graylog_logger(level="info", handler="match_register",
message=f"User {userid} is registering to match {match_id}")
@ -216,12 +219,13 @@ def match_register(match_id):
return jsonify({"message": "Internal Server Error"}), 500
@app.route("/api/v1/match/<match_id>/Quit", methods=["PUT"])
def match_quit(match_id):
@app.route("/api/v1/match/<match_id_unsanitized>/Quit", methods=["PUT"])
def match_quit(match_id_unsanitized):
try:
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
match_id = sanitize_input(match_id_unsanitized)
logger.graylog_logger(level="info", handler="logging_queue",
message=f"User {userid} is quitting match {match_id}")
@ -252,11 +256,11 @@ def match_create():
# 'props': {'MatchConfiguration': '/Game/Configuration/MatchConfig/MatchConfig_Demo.MatchConfig_Demo'},
# 'latencies': []}
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
category = request.json.get("category")
rank = request.json.get("rank")
category = sanitize_input(request.json.get("category"))
rank = sanitize_input(request.json.get("rank"))
players_a = request.json.get("playersA")
players_b = request.json.get("playersB")
props = request.json.get("props")
@ -277,7 +281,7 @@ def match_create():
@app.route("/api/v1/extensions/progression/playerEndOfMatch", methods=["POST"])
def progression_player_end_of_match():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
logger.graylog_logger(level="info", handler="matchmaking_playerEndOfMatch", message=request.get_json())
@ -288,10 +292,13 @@ def progression_player_end_of_match():
logger.graylog_logger(level="error", handler="matchmaking_playerEndOfMatch", message=e)
@app.route("/file/<game_version>/<seed>/<map_name>", methods=["POST", "GET"])
def file_gold_rush(seed, map_name, game_version):
@app.route("/file/<game_version_unsanitized>/<seed_unsanitized>/<map_name_unsanitized>", methods=["POST", "GET"])
def file_gold_rush(seed_unsanitized, map_name_unsanitized, game_version_unsanitized):
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
game_version = sanitize_input(game_version_unsanitized)
seed = sanitize_input(seed_unsanitized)
map_name = sanitize_input(map_name_unsanitized)
userid = session_manager.get_user_id(session_cookie)
file_name = f"{game_version}_{seed}_{map_name}.raw"
@ -315,7 +322,7 @@ def file_gold_rush(seed, map_name, game_version):
@app.route("/metrics/matchmaking/event", methods=["POST"])
def metrics_matchmaking_event():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:

9
src/endpoints/unknown.py
View File

@ -2,8 +2,9 @@ from flask_definitions import *
# Do NOT change Result to ANYTHING or Add anything before it. Game will crash. Doesnt mean it 100% works tho XD
@app.route("/<game_version>/catalog", methods=["GET"])
def catalog_get(game_version):
@app.route("/<game_version_unsanitized>/catalog", methods=["GET"])
def catalog_get(game_version_unsanitized):
game_version = sanitize_input(game_version_unsanitized)
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
userid = session_manager.get_user_id(session_cookie)
@ -21,7 +22,7 @@ def catalog_get(game_version):
@app.errorhandler(404)
def debug_404(e):
check_for_game_client("soft")
logger.graylog_logger(level="error", handler="404-handler", message=f"Path: {request.path} Endpoint: {request.endpoint}")
logger.graylog_logger(level="error", handler="404-handler", message=f"Path: {sanitize_input(request.path)} Endpoint: {sanitize_input(request.endpoint)}")
print(e)
return jsonify({"message": "Endpoint not found"}), 404
@ -29,6 +30,6 @@ def debug_404(e):
@app.errorhandler(500)
def debug_500(e):
check_for_game_client("soft")
logger.graylog_logger(level="error", handler="500-handler", message=f"Path: {request.path} Endpoint: {request.endpoint}, Error: {e}")
logger.graylog_logger(level="error", handler="500-handler", message=f"Path: {sanitize_input(request.path)} Endpoint: {sanitize_input(request.endpoint)}, Error: {e}")
print(e)
return jsonify({"message": "Internal Server Error"}), 500

56
src/endpoints/user_handeling.py
View File

@ -49,10 +49,10 @@ def steam_login_function():
def steam_login():
# Read Doc\SteamAuth.md for more information
ip = check_for_game_client("soft")
user_agent = request.headers.get('User-Agent')
user_agent = sanitize_input(request.headers.get('User-Agent'))
request_token = sanitize_input(request.args.get('token'))
if user_agent.startswith("TheExit/++UE4+Release-4.2"):
if request.args.get(
'token') == "140000007B7B7B7B02000000E3FA3952010010017B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B":
if request_token == "140000007B7B7B7B02000000E3FA3952010010017B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B":
userid, token = mongo.user_db_handler("Debug_session")
current_time, expire_time = get_time()
return_val = jsonify({"preferredLanguage": "en", "friendsFirstSync": {"steam": True},
@ -95,7 +95,7 @@ def steam_login():
@app.route("/api/v1/modifierCenter/modifiers/me", methods=["GET"])
def modifiers():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
steamid, token = mongo.get_data_with_list(login=userid, login_steam=False,
@ -113,12 +113,12 @@ def modifiers():
@app.route("/moderation/check/username", methods=["POST"])
def moderation_check_username():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
request_var = request.get_json()
userid = request_var["userId"]
userid = sanitize_input(request_var["userId"])
steamid, token = mongo.get_user_info(userId=userid)
return jsonify({"Id": userid, "Token": token,
"Provider": {"ProviderName": request_var["username"],
@ -133,7 +133,7 @@ def moderation_check_username():
@app.route("/api/v1/progression/experience", methods=["POST"])
def progression_experience():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -172,12 +172,12 @@ def progression_experience():
def challenges_get_challenges():
# client: {"data":{"userId":"619d6f42-db87-4f3e-8dc9-3c9995613614","challengeType":"Daily"}}
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
response = request.get_json()
challenge_type = response["data"]["challengeType"]
challenge_type = sanitize_input(response["data"]["challengeType"])
if challenge_type == "Weekly":
return jsonify({"Challenges": ["ARBDamage_HunterWeekly", "AssaultRifleWins_HunterWeekly",
"BleedOut_HunterWeekly", "BleedOut_RunnerWeekly", "Damage_HunterWeekly",
@ -205,7 +205,7 @@ def challenges_get_challenges():
@app.route("/api/v1/extensions/challenges/executeChallengeProgressionOperationBatch", methods=["POST"])
def challenges_execute_challenge_progression_operation_batch():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -227,7 +227,7 @@ def challenges_execute_challenge_progression_operation_batch():
@app.route("/api/v1/inventories", methods=["GET"])
def inventories():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -250,7 +250,7 @@ def inventories():
@app.route("/api/v1/players/me/splinteredstates/ProgressionGroups", methods=["GET"])
def progression_groups():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
# This is the real code but need to build this first
@ -277,7 +277,7 @@ def progression_groups():
@app.route("/api/v1/players/ban/status", methods=["GET"])
def ban_status():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -309,7 +309,7 @@ def ban_status():
@app.route("/api/v1/players/ban/getbaninfo", methods=["GET"])
def get_ban_info():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -325,7 +325,7 @@ def get_ban_info():
@app.route("/api/v1/wallet/currencies", methods=["GET"])
def wallet_currencies():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -351,7 +351,7 @@ def wallet_currencies():
@app.route("/api/v1/wallet/currencies/PROGRESSION_CURRENCY", methods=["GET"])
def wallet_currencies_progression():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -366,7 +366,7 @@ def wallet_currencies_progression():
@app.route("/api/v1/players/me/splinteredstates/TheExit_Achievements", methods=["GET"])
def achievements_get():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -390,7 +390,7 @@ def achievements_get():
@app.route("/api/v1/messages/count", methods=["GET"])
def messages_count():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -408,7 +408,7 @@ def messages_count():
@app.route("/api/v1/messages/list", methods=["GET", "DELETE"])
def messages_list():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -457,7 +457,7 @@ def messages_mark_as():
# {"messageList":[{"received":1687192385,"recipientId":"2"}],"flag":"READ"}
try:
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
data = request.get_json()
message_list = data["messageList"]
@ -474,21 +474,19 @@ def messages_mark_as():
logger.graylog_logger(level="error", handler="messages_mark_as", message=e)
return jsonify({"status": "API error"})
return jsonify("", 204)
# Temp response.
@app.route("/moderation/check/chat", methods=["POST"])
def moderation_check_chat():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
data = request.get_json()
userid = data["userId"]
language = data["language"]
message = data["message"]
userid = sanitize_input(data["userId"])
language = sanitize_input(data["language"])
message = sanitize_input(data["message"])
# Why should we care? Can we get in trouble if we don't?
return jsonify({"status": "success", "result": "OK"}) # Testing stuff
except TimeoutError:
@ -501,7 +499,7 @@ def moderation_check_chat():
@app.route("/api/v1/extensions/progression/initOrGetGroups", methods=["POST"])
def extension_progression_init_or_get_groups():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -573,7 +571,7 @@ def extension_progression_init_or_get_groups():
@app.route("/api/v1/extensions/inventory/unlockSpecialItems", methods=["POST"])
def inventory_unlock_special_items():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:
@ -588,7 +586,7 @@ def inventory_unlock_special_items():
@app.route("/api/v1/extensions/challenges/getChallengeProgressionBatch", methods=["POST"])
def challenges_get_challenge_progression_batch():
check_for_game_client("strict")
session_cookie = request.cookies.get("bhvrSession")
session_cookie = sanitize_input(request.cookies.get("bhvrSession"))
userid = session_manager.get_user_id(session_cookie)
try:

16
src/endpoints/web.py
View File

@ -42,8 +42,9 @@ def debug_root():
@app.route('/debug/user/', methods=['GET'], defaults={'steamid': None})
@app.route('/debug/user/<steamid>', methods=['GET'])
def debug_user(steamid):
@app.route('/debug/user/<steamid_unsanitized>', methods=['GET'])
def debug_user(steamid_unsanitized):
steamid = sanitize_input(steamid_unsanitized)
if steamid is None:
return render_template('debug/user.html', is_id_set=False, id_not_found=True)
@ -81,13 +82,13 @@ def debug_mirrors_write():
try:
if request.method == "POST":
try:
api_token = request.cookies.get("api_token")
api_token = sanitize_input(request.cookies.get("api_token"))
if api_token is None:
return jsonify({"status": "error", "message": "No api token found"}, 401)
if api_token not in allowed_tokens:
return jsonify({"status": "error", "message": "Invalid api token"}), 401
steam_user_id = request.json.get("steamid")
data_b = request.json.get("data")
steam_user_id = sanitize_input(request.json.get("steamid"))
data_b = sanitize_input(request.json.get("data"))
if not data_b:
return jsonify({"status": "error", "message": "No data found."}), 400
@ -122,12 +123,12 @@ def debug_mirrors_get():
try:
if request.method == "POST":
try:
api_token = request.cookies.get("api_token")
api_token = sanitize_input(request.cookies.get("api_token"))
if api_token is None:
return jsonify({"status": "error", "message": "No api token found"}, 401)
if api_token not in allowed_tokens:
return jsonify({"status": "error", "message": "Invalid api token"}), 401
steam_user_id = request.json.get("steamid")
steam_user_id = sanitize_input(request.json.get("steamid"))
if not steam_user_id:
return jsonify({"status": "error", "message": "No Steamid found."}), 400
@ -153,7 +154,6 @@ def debug_mirrors_get():
logger.graylog_logger(level="error", handler="web_debug_mirrors", message=e)
@app.route('/updater/', methods=["GET"])
def updater_root():
return render_template("updater.html")

1
src/flask_definitions.py
View File

@ -3,6 +3,7 @@ from logic.setup_handlers import load_config
from logic.logging_handler import logger
from logic.global_handlers import session_manager
from logic.global_handlers import check_for_game_client
from logic.global_handlers import sanitize_input
from logic.mongodb_handler import mongo
import json
import os

7
src/logic/global_handlers.py
View File

@ -1,6 +1,7 @@
from flask_definitions import *
import time
import uuid
import bleach
def _get_remote_ip(check_type="strict"):
@ -24,7 +25,7 @@ def _get_remote_ip(check_type="strict"):
def check_for_game_client(check_type="strict"):
if check_type == "strict":
user_agent = request.headers.get('User-Agent')
user_agent = sanitize_input(request.headers.get('User-Agent'))
if user_agent.startswith("TheExit/++UE4+Release-4.2"):
_get_remote_ip("strict")
elif user_agent.startswith("game=TheExit, engine=UE4, version="):
@ -46,6 +47,10 @@ def check_for_game_client(check_type="strict"):
_get_remote_ip("soft")
def sanitize_input(input_value):
return bleach.clean(input_value)
class Session_Manager:
def __init__(self):
self.sessions = {}

2
src/logic/match_manager.py
View File

@ -84,7 +84,7 @@ class MatchManager:
'props': {
'MatchConfiguration': '/Game/Configuration/MatchConfig/MatchConfig_Demo.MatchConfig_Demo'},
'latencies': []}}
self.create_match(user_id, json_dict)
self.create_match(json_dict)
else:
self._queue_dict[user_id] = user_id