some user input sanitazion, blame catcat

2023-02-02 17:04:43 +02:00 · 2023-02-02 17:04:43 +02:00 · c1975ebb9a
parent baeb02adf5
commit c1975ebb9a
6 changed files with 20 additions and 5 deletions
--- a/commands/hn.js
+++ b/commands/hn.js
@ -1,7 +1,7 @@
 const command = {
  name: "hn",
  desc: "fetch hacker news",
-  run: async (client, msg, splitted) => {
+  run: async (client, msg) => {
    const data = await fetch(
      `https://hn.algolia.com/api/v1/search?tags=front_page`
    )
--- a/commands/mail.js
+++ b/commands/mail.js
@ -22,7 +22,11 @@ const command = {

      case "fetch": {
        const data = await fetch(
-          `https://dropmail.me/api/graphql/gj3489g389gj4wegj3qj890fg23j89j82g?query=query%20(%24id%3A%20ID!)%20%7Bsession(id%3A%24id)%20%7B%20addresses%20%7Baddress%7D%2C%20mails%7BrawSize%2C%20fromAddr%2C%20toAddr%2C%20downloadUrl%2C%20text%2C%20headerSubject%7D%7D%20%7D&variables=%7B%22id%22%3A%22${splitted[3]}%22%7D`
+          `https://dropmail.me/api/graphql/gj3489g389gj4wegj3qj890fg23j89j82g?query=query%20(%24id%3A%20ID!)%20%7Bsession(id%3A%24id)%20%7B%20addresses%20%7Baddress%7D%2C%20mails%7BrawSize%2C%20fromAddr%2C%20toAddr%2C%20downloadUrl%2C%20text%2C%20headerSubject%7D%7D%20%7D&variables=%7B%22id%22%3A%22${splitted[3]
+            .replaceAll("?", "")
+            .replaceAll("/", "")
+            .replaceAll("\\", "")
+            .replaceAll("&", "")}%22%7D`
        )
          .then((res) => res.json())
          .then((data) => data.data.session)
--- a/commands/rd.js
+++ b/commands/rd.js
@ -3,7 +3,9 @@ const command = {
  desc: "get post from reddit subreddit",
  run: async (client, msg, splitted) => {
    const data = await fetch(
-      `https://teddit.namazso.eu/r/${splitted[2] ? splitted[2] : "forsen"}?api`
+      `https://teddit.namazso.eu/r/${
+        splitted[2] ? splitted[2].replaceAll(/\W/g, "") : "forsen"
+      }?api`
    )
      .then((res) => res.json())
      .then((data) => data.links[Math.floor(Math.random() * data.links.length)])
--- a/commands/twitter.js
+++ b/commands/twitter.js
@ -4,7 +4,13 @@ const command = {
  run: async (client, msg, splitted) => {
    const data = await fetch(
      `https://api.rss2json.com/v1/api.json?rss_url=https://nitter.namazso.eu/${
-        splitted[2] ? splitted[2] : "forsen"
+        splitted[2]
+          ? splitted[2]
+              .replaceAll("?", "")
+              .replaceAll("/", "")
+              .replaceAll("\\", "")
+              .replaceAll("&", "")
+          : "forsen"
      }/rss`
    )
      .then((res) => res.json())
--- a/commands/weather.js
+++ b/commands/weather.js
@ -10,7 +10,9 @@ const command = {
      return;
    }

-    const data = await fetch(`https://wttr.in/${splitted[2]}?format=j1`)
+    const data = await fetch(
+      `https://wttr.in/${splitted[2].replaceAll(/\W/g, "")}?format=j1`
+    )
      .then((res) => res.json())
      .then((data) => {
        return data.current_condition[0];
--- a/commands/yts.js
+++ b/commands/yts.js
@ -11,6 +11,7 @@ const command = {

    const data = await fetch(
      `https://invidious.epicsite.xyz/api/v1/search?type=video&q=${splitted
+        .replaceAll(/\W/g, "")
        .slice(2)
        .join(" ")}`
    )