From e71aee2c2249c372192752d4a9580ffc6dbde039 Mon Sep 17 00:00:00 2001 From: girst Date: Sat, 29 Apr 2023 16:42:08 +0000 Subject: [PATCH] reddit: validate some parameters and use HTTPExceptions --- app/reddit/__init__.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/app/reddit/__init__.py b/app/reddit/__init__.py index a430a96..5a3ff63 100644 --- a/app/reddit/__init__.py +++ b/app/reddit/__init__.py @@ -2,6 +2,7 @@ import re import sqlite3 from flask_login import current_user, login_required from flask import Blueprint, render_template, request, redirect, flash, url_for +from werkzeug.exceptions import BadRequest, BadGateway from ..common.common import * from .lib import * @@ -17,8 +18,15 @@ def reddit(subreddit=None): token = getattr(current_user, 'token', 'guest') after = request.args.get('after') - sortorder = request.args.get('s', "hot") # TODO: verify! - timerange = request.args.get('t', None) # TODO: verify! + sortorder = request.args.get('s', "hot") + timerange = request.args.get('t', None) + + if subreddit and not re.fullmatch(r"[-+_0-9A-Za-z]{2,21}", subreddit): + raise BadRequest("invalid subreddit") + if sortorder not in ("hot", "new", "rising", "controversial", "top"): + raise BadRequest("invalid sort order") + if timerange not in (None, "hour", "day", "week", "month", "year", "all"): + raise BadRequest("invalid top time range") all_subreddits = get_subreddits(token) subreddits = [subreddit] if subreddit else all_subreddits @@ -30,7 +38,7 @@ def reddit(subreddit=None): videos = parse_reddit_videos(data) after = data['data']['after'] except RedditException as e: - return f"error retrieving reddit data: {e}", 502 # TODO: better + raise BadGateway(f"error retrieving reddit data: {e}") # set pin/hide stati of retrieved videos video_ids = [v['video_id'] for v in videos] -- 2.39.3