From 4b6a574ee0e7ab4362c188be646369f2c440eb6c Mon Sep 17 00:00:00 2001 From: Miro Prasil Date: Tue, 23 Mar 2021 13:39:09 +0000 Subject: [PATCH 1/2] Return generic message when Send not available This should help avoid leaking information about (non)existence of Send and be more in line with what official server returns. --- src/api/core/sends.rs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/api/core/sends.rs b/src/api/core/sends.rs index 2b1c4334..c63266da 100644 --- a/src/api/core/sends.rs +++ b/src/api/core/sends.rs @@ -228,27 +228,27 @@ pub struct SendAccessData { fn post_access(access_id: String, data: JsonUpcase, conn: DbConn) -> JsonResult { let mut send = match Send::find_by_access_id(&access_id, &conn) { Some(s) => s, - None => err_code!("Send not found", 404), + None => err_code!("Send does not exist or is no longer available", 404), }; if let Some(max_access_count) = send.max_access_count { if send.access_count >= max_access_count { - err_code!("Max access count reached", 404); + err_code!("Send does not exist or is no longer available", 404); } } if let Some(expiration) = send.expiration_date { if Utc::now().naive_utc() >= expiration { - err_code!("Send has expired", 404) + err_code!("Send does not exist or is no longer available", 404) } } if Utc::now().naive_utc() >= send.deletion_date { - err_code!("Send has been deleted", 404) + err_code!("Send does not exist or is no longer available", 404) } if send.disabled { - err_code!("Send has been disabled", 404) + err_code!("Send does not exist or is no longer available", 404) } if send.password_hash.is_some() { @@ -279,27 +279,27 @@ fn post_access_file( ) -> JsonResult { let mut send = match Send::find_by_uuid(&send_id, &conn) { Some(s) => s, - None => err_code!("Send not found", 404), + None => err_code!("Send does not exist or is no longer available", 404), }; if let Some(max_access_count) = send.max_access_count { if send.access_count >= max_access_count { - err_code!("Max access count reached", 404); + err_code!("Send does not exist or is no longer available", 404) } } if let Some(expiration) = send.expiration_date { if Utc::now().naive_utc() >= expiration { - err_code!("Send has expired", 404) + err_code!("Send does not exist or is no longer available", 404) } } if Utc::now().naive_utc() >= send.deletion_date { - err_code!("Send has been deleted", 404) + err_code!("Send does not exist or is no longer available", 404) } if send.disabled { - err_code!("Send has been disabled", 404) + err_code!("Send does not exist or is no longer available", 404) } if send.password_hash.is_some() { From aa5cc642e1189196e46d98da7d424bae7d89f4b0 Mon Sep 17 00:00:00 2001 From: Miro Prasil Date: Thu, 25 Mar 2021 11:40:32 +0000 Subject: [PATCH 2/2] Use constant for the "inaccessible" error message --- src/api/core/sends.rs | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/api/core/sends.rs b/src/api/core/sends.rs index c63266da..ec6809a2 100644 --- a/src/api/core/sends.rs +++ b/src/api/core/sends.rs @@ -13,6 +13,8 @@ use crate::{ CONFIG, }; +const SEND_INACCESSIBLE_MSG: &str = "Send does not exist or is no longer available"; + pub fn routes() -> Vec { routes![ post_send, @@ -228,27 +230,27 @@ pub struct SendAccessData { fn post_access(access_id: String, data: JsonUpcase, conn: DbConn) -> JsonResult { let mut send = match Send::find_by_access_id(&access_id, &conn) { Some(s) => s, - None => err_code!("Send does not exist or is no longer available", 404), + None => err_code!(SEND_INACCESSIBLE_MSG, 404), }; if let Some(max_access_count) = send.max_access_count { if send.access_count >= max_access_count { - err_code!("Send does not exist or is no longer available", 404); + err_code!(SEND_INACCESSIBLE_MSG, 404); } } if let Some(expiration) = send.expiration_date { if Utc::now().naive_utc() >= expiration { - err_code!("Send does not exist or is no longer available", 404) + err_code!(SEND_INACCESSIBLE_MSG, 404) } } if Utc::now().naive_utc() >= send.deletion_date { - err_code!("Send does not exist or is no longer available", 404) + err_code!(SEND_INACCESSIBLE_MSG, 404) } if send.disabled { - err_code!("Send does not exist or is no longer available", 404) + err_code!(SEND_INACCESSIBLE_MSG, 404) } if send.password_hash.is_some() { @@ -279,27 +281,27 @@ fn post_access_file( ) -> JsonResult { let mut send = match Send::find_by_uuid(&send_id, &conn) { Some(s) => s, - None => err_code!("Send does not exist or is no longer available", 404), + None => err_code!(SEND_INACCESSIBLE_MSG, 404), }; if let Some(max_access_count) = send.max_access_count { if send.access_count >= max_access_count { - err_code!("Send does not exist or is no longer available", 404) + err_code!(SEND_INACCESSIBLE_MSG, 404) } } if let Some(expiration) = send.expiration_date { if Utc::now().naive_utc() >= expiration { - err_code!("Send does not exist or is no longer available", 404) + err_code!(SEND_INACCESSIBLE_MSG, 404) } } if Utc::now().naive_utc() >= send.deletion_date { - err_code!("Send does not exist or is no longer available", 404) + err_code!(SEND_INACCESSIBLE_MSG, 404) } if send.disabled { - err_code!("Send does not exist or is no longer available", 404) + err_code!(SEND_INACCESSIBLE_MSG, 404) } if send.password_hash.is_some() {