Patch SQL injection

PintoIM · May 16, 2023 · 5f2216d · 5f2216d
1 parent fc86601
commit 5f2216d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/src/main/java/me/vlod/pinto/networking/NetHandlerUtils.java b/src/main/java/me/vlod/pinto/networking/NetHandlerUtils.java
@@ -7,6 +7,9 @@
 import me.vlod.pinto.configuration.WhitelistConfig;
 
 public class NetHandlerUtils {
+	public static final String USERNAME_REGEX_CHECK = "^(?=.{3,15}$)[a-zA-Z0-9._]+$";
+	public static final String PASSWORD_REGEX_CHECK = "^(?=.{64}$)[a-zA-Z0-9._]+$";
+
 	public static boolean performModerationChecks(NetworkHandler handler, String username) {
 		// Check if either the user name or IP are not white-listed
     	if (MainConfig.instance.useWhiteList && 
@@ -31,7 +34,7 @@ public static boolean performModerationChecks(NetworkHandler handler, String use
 	}
 
 	public static boolean performNameVerification(NetworkHandler handler, String username) {
-    	if (!username.matches("^(?=.{3,15}$)[a-zA-Z0-9._]+$")) {
+    	if (!username.matches(USERNAME_REGEX_CHECK)) {
     		handler.kick("Illegal username!\n"
     				+ "Legal usernames must have a length of at least 3 and at most 16\n"
     				+ "Legal usernames may only contain alphanumeric characters,"

diff --git a/src/main/java/me/vlod/pinto/networking/NetworkHandler.java b/src/main/java/me/vlod/pinto/networking/NetworkHandler.java
@@ -133,7 +133,8 @@ private void performSync() {
 								NetHandlerUtils.getToOthersStatus(
 										netHandler.databaseEntry.status))));
 
-			if (netHandler != null) {
+			if (netHandler != null && 
+				NetHandlerUtils.getToOthersStatus(this.databaseEntry.status) != UserStatus.OFFLINE) {
 				netHandler.sendPacket(new PacketStatus(this.userName, this.databaseEntry.status));
 			}
 		}
@@ -231,6 +232,11 @@ public void handleRegisterPacket(PacketRegister packet) {
     		return;
     	}
 
+    	if (!packet.passwordHash.matches(NetHandlerUtils.PASSWORD_REGEX_CHECK)) {
+    		this.kick("Illegal password hash! Attempted SQL injection?");
+    		return;
+    	}
+
     	// Create the database entry
     	this.databaseEntry = UserDatabaseEntry.registerAndReturnEntry(this.server, packet.name,
     			packet.passwordHash, UserStatus.ONLINE);
@@ -271,6 +277,11 @@ public void handleMessagePacket(PacketMessage packet) {
     }
 
 	public void handleAddContactPacket(PacketAddContact packet) {
+		if (!packet.contactName.matches(NetHandlerUtils.USERNAME_REGEX_CHECK)) {
+			this.sendPacket(new PacketInWindowPopup("Invalid contact name specified"));
+			return;
+		}
+
 		if (packet.contactName.equals(this.userName)) {
 			this.sendPacket(new PacketInWindowPopup("You may not add yourself to your contact list"));
 			return;

diff --git a/src/main/java/me/vlod/sql/SQLiteInterface.java b/src/main/java/me/vlod/sql/SQLiteInterface.java
@@ -10,6 +10,9 @@
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
 
+/**
+ * SQLite implementation of {@link SQLInterface}
+ */
 public class SQLiteInterface implements SQLInterface {
 	private Connection connection;
 	private DatabaseMetaData dbMetaData;