sncf/src/sniff.rs

use actix_web::web;
use serde_json::Value;

use crate::debug;

// checks to be done on user requests
// if it returns true, cancels the request
pub fn check_request(route: &str, body: &web::Bytes) -> bool {
    match route {
        "/ocs/v2.php/apps/forms/api/v1.1/form/update" => rq_form_update(body),
        _ => false,
    }
}

// prevents the user from doing anything other than link sharing.
fn rq_form_update(body: &web::Bytes) -> bool {
    let req = String::from_utf8_lossy(body);

    // try to serialize the body.
    // If the parsing fails, drop the request
    let v: Value = serde_json::from_str(&req).unwrap_or_else(|e| {
        eprintln!("check_request: failed to parse JSON: {}", e);
        Value::Null
    });
    // if the type or isAnonymous is set (isn't null),
    // drop the request.
    // Also drop if v is null because of parsing fail.
    v == Value::Null
        || v["keyValuePairs"]["isAnonymous"] != Value::Null
        || v["keyValuePairs"]["access"]["type"] != Value::Null
}

// checks to be done on responses from the Nextcloud instance
// if it returns true, cancels the request
// NOTE: unused for now
/*pub fn check_response(_route: &str, _body: &web::Bytes) -> bool {
    false
}*/

// checks if a form has been created.
// if it's the case, sets some parameters.
// this part may need code quality improvements
// the body MUST come from the "create new form" route
// (this is checked upstream)
// returns the form UID and the request body
pub fn check_new_form(body: &web::Bytes) -> u64 {
    let req = String::from_utf8_lossy(body);

    // finds the form ID
    let v: Value = serde_json::from_str(&req).unwrap_or_else(|e| {
        eprintln!("check_new_form: failed to parse JSON: {}", e);
        Value::Null
    });

    if v != Value::Null
        && v["ocs"].is_object()
        && v["ocs"]["data"].is_object()
        && v["ocs"]["data"]["id"] != Value::Null
        && v["ocs"]["data"]["isAnonymous"] == Value::Null
    {
        //getting form id
        v["ocs"]["data"]["id"].as_u64().unwrap_or_else(|| {
            eprintln!("check_new_form: failed to parse formid: {}", v);
            0
        })
    } else {
        eprintln!("error: check_new_form: can't find formid: {}", v);
        0
    }
}

// those routes won't be redirected
const BLOCKED_ROUTES: &[&str] = &[
    "/apps/settings",
    "/login",
    "/settings",
    "/ocs/v",
    "/remote.php",
    "/core/templates/filepicker.html",
];

// ...except if they are in this list
const ALLOWED_ROUTES: &[&str] = &["/ocs/v2.php/apps/forms/", "/status.php"];

// checks if the accessed route is allowed for the user.
// if it returns true, redirects elsewhere
pub fn check_route(route: &str) -> bool {
    debug(route);

    for r in BLOCKED_ROUTES {
        if route.starts_with(r) {
            for s in ALLOWED_ROUTES {
                if route.starts_with(s) {
                    return false;
                }
            }
            return true;
        }
    }
    false
}
initial commit and v1? 2020-08-19 01:21:42 +02:00			`use actix_web::web;`
			`use serde_json::Value;`

			`use crate::debug;`

			`// checks to be done on user requests`
			`// if it returns true, cancels the request`
			`pub fn check_request(route: &str, body: &web::Bytes) -> bool {`
			`match route {`
compatibility with nextcloud 22 and Forms API v1.1 2021-10-11 16:54:55 +02:00			`"/ocs/v2.php/apps/forms/api/v1.1/form/update" => rq_form_update(body),`
initial commit and v1? 2020-08-19 01:21:42 +02:00			`_ => false,`
			`}`
			`}`

			`// prevents the user from doing anything other than link sharing.`
			`fn rq_form_update(body: &web::Bytes) -> bool {`
			`let req = String::from_utf8_lossy(body);`

			`// try to serialize the body.`
			`// If the parsing fails, drop the request`
			`let v: Value = serde_json::from_str(&req).unwrap_or_else(\|e\| {`
			`eprintln!("check_request: failed to parse JSON: {}", e);`
			`Value::Null`
			`});`
			`// if the type or isAnonymous is set (isn't null),`
			`// drop the request.`
			`// Also drop if v is null because of parsing fail.`
			`v == Value::Null`
			`\|\| v["keyValuePairs"]["isAnonymous"] != Value::Null`
			`\|\| v["keyValuePairs"]["access"]["type"] != Value::Null`
			`}`

			`// checks to be done on responses from the Nextcloud instance`
			`// if it returns true, cancels the request`
Use await everywhere, do not declare a mutable variable if the body doesn't need to be edited, disable compression 2020-08-29 19:55:03 +02:00			`// NOTE: unused for now`
			`/*pub fn check_response(_route: &str, _body: &web::Bytes) -> bool {`
initial commit and v1? 2020-08-19 01:21:42 +02:00			`false`
Use await everywhere, do not declare a mutable variable if the body doesn't need to be edited, disable compression 2020-08-29 19:55:03 +02:00			`}*/`
initial commit and v1? 2020-08-19 01:21:42 +02:00
			`// checks if a form has been created.`
			`// if it's the case, sets some parameters.`
			`// this part may need code quality improvements`
Use await everywhere, do not declare a mutable variable if the body doesn't need to be edited, disable compression 2020-08-29 19:55:03 +02:00			`// the body MUST come from the "create new form" route`
			`// (this is checked upstream)`
updating isAnonymous interception process with new OCS API 2021-03-24 19:50:28 +01:00			`// returns the form UID and the request body`
Use await everywhere, do not declare a mutable variable if the body doesn't need to be edited, disable compression 2020-08-29 19:55:03 +02:00			`pub fn check_new_form(body: &web::Bytes) -> u64 {`
initial commit and v1? 2020-08-19 01:21:42 +02:00			`let req = String::from_utf8_lossy(body);`

			`// finds the form ID`
			`let v: Value = serde_json::from_str(&req).unwrap_or_else(\|e\| {`
			`eprintln!("check_new_form: failed to parse JSON: {}", e);`
			`Value::Null`
			`});`

updating isAnonymous interception process with new OCS API 2021-03-24 19:50:28 +01:00			`if v != Value::Null`
			`&& v["ocs"].is_object()`
cargo fmt 2021-03-24 20:17:08 +01:00			`&& v["ocs"]["data"].is_object()`
			`&& v["ocs"]["data"]["id"] != Value::Null`
			`&& v["ocs"]["data"]["isAnonymous"] == Value::Null`
			`{`
			`//getting form id`
cargo clippy 2021-03-24 20:29:24 +01:00			`v["ocs"]["data"]["id"].as_u64().unwrap_or_else(\|\| {`
cargo fmt 2021-03-24 20:17:08 +01:00			`eprintln!("check_new_form: failed to parse formid: {}", v);`
			`0`
cargo clippy 2021-03-24 20:29:24 +01:00			`})`
cargo fmt 2021-03-24 20:17:08 +01:00			`} else {`
			`eprintln!("error: check_new_form: can't find formid: {}", v);`
			`0`
initial commit and v1? 2020-08-19 01:21:42 +02:00			`}`
			`}`

adding ALLOWED_ROUTES 2020-09-08 18:36:27 +02:00			`// those routes won't be redirected`
cargo clippy 2020-08-22 16:38:24 +02:00			`const BLOCKED_ROUTES: &[&str] = &[`
initial commit and v1? 2020-08-19 01:21:42 +02:00			`"/apps/settings",`
			`"/login",`
			`"/settings",`
			`"/ocs/v",`
			`"/remote.php",`
updating isAnonymous interception process with new OCS API 2021-03-24 19:50:28 +01:00			`"/core/templates/filepicker.html",`
initial commit and v1? 2020-08-19 01:21:42 +02:00			`];`

adding ALLOWED_ROUTES 2020-09-08 18:36:27 +02:00			`// ...except if they are in this list`
cargo fmt 2021-03-24 20:17:08 +01:00			`const ALLOWED_ROUTES: &[&str] = &["/ocs/v2.php/apps/forms/", "/status.php"];`
adding ALLOWED_ROUTES 2020-09-08 18:36:27 +02:00
initial commit and v1? 2020-08-19 01:21:42 +02:00			`// checks if the accessed route is allowed for the user.`
			`// if it returns true, redirects elsewhere`
			`pub fn check_route(route: &str) -> bool {`
			`debug(route);`

			`for r in BLOCKED_ROUTES {`
			`if route.starts_with(r) {`
adding ALLOWED_ROUTES 2020-09-08 18:36:27 +02:00			`for s in ALLOWED_ROUTES {`
			`if route.starts_with(s) {`
			`return false;`
			`}`
			`}`
initial commit and v1? 2020-08-19 01:21:42 +02:00			`return true;`
			`}`
			`}`
			`false`
			`}`