Unify request value handling

This commit is contained in:
Michael 2022-01-16 14:04:20 +00:00
parent 4319136421
commit 4724000d06
16 changed files with 105 additions and 73 deletions

View file

@ -260,19 +260,7 @@ abstract class BaseModule implements ICanHandleRequests
$request = [];
foreach ($defaults as $parameter => $defaultvalue) {
if (is_string($defaultvalue)) {
$request[$parameter] = (string)($input[$parameter] ?? $defaultvalue);
} elseif (is_int($defaultvalue)) {
$request[$parameter] = filter_var($input[$parameter] ?? $defaultvalue, FILTER_VALIDATE_INT);
} elseif (is_float($defaultvalue)) {
$request[$parameter] = filter_var($input[$parameter] ?? $defaultvalue, FILTER_VALIDATE_FLOAT);
} elseif (is_array($defaultvalue)) {
$request[$parameter] = filter_var($input[$parameter] ?? $defaultvalue, FILTER_DEFAULT, ['flags' => FILTER_FORCE_ARRAY]);
} elseif (is_bool($defaultvalue)) {
$request[$parameter] = filter_var($input[$parameter] ?? $defaultvalue, FILTER_VALIDATE_BOOLEAN);
} else {
$this->logger->notice('Unhandled default value type', ['parameter' => $parameter, 'type' => gettype($defaultvalue)]);
}
$request[$parameter] = $this->getRequestValue($input, $parameter, $defaultvalue);
}
foreach ($input ?? [] as $parameter => $value) {
@ -288,6 +276,50 @@ abstract class BaseModule implements ICanHandleRequests
return $request;
}
/**
* Fetch a request value and apply default values and check against minimal and maximal values
*
* @param array $input
* @param string $parameter
* @param mixed $default
* @param mixed $minimal_value
* @param mixed $maximum_value
* @return mixed
*/
public function getRequestValue(array $input, string $parameter, $default = null, $minimal_value = null, $maximum_value = null)
{
if (is_string($default)) {
$value = (string)($input[$parameter] ?? $default);
} elseif (is_int($default)) {
$value = filter_var($input[$parameter] ?? $default, FILTER_VALIDATE_INT);
if (!is_null($minimal_value)) {
$value = max(filter_var($minimal_value, FILTER_VALIDATE_INT), $value);
}
if (!is_null($maximum_value)) {
$value = min(filter_var($minimal_value, FILTER_VALIDATE_INT), $value);
}
} elseif (is_float($default)) {
$value = filter_var($input[$parameter] ?? $default, FILTER_VALIDATE_FLOAT);
if (!is_null($minimal_value)) {
$value = max(filter_var($minimal_value, FILTER_VALIDATE_FLOAT), $value);
}
if (!is_null($maximum_value)) {
$value = min(filter_var($minimal_value, FILTER_VALIDATE_FLOAT), $value);
}
} elseif (is_array($default)) {
$value = filter_var($input[$parameter] ?? $default, FILTER_DEFAULT, ['flags' => FILTER_FORCE_ARRAY]);
} elseif (is_bool($default)) {
$value = filter_var($input[$parameter] ?? $default, FILTER_VALIDATE_BOOLEAN);
} elseif (is_null($default)) {
$value = $input[$parameter] ?? null;
} else {
$this->logger->notice('Unhandled default value type', ['parameter' => $parameter, 'type' => gettype($default)]);
$value = null;
}
return $value;
}
/*
* Functions used to protect against Cross-Site Request Forgery
* The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.

View file

@ -37,7 +37,7 @@ class Create extends BaseApi
$uid = BaseApi::getCurrentUserID();
// params
$name = $request['name'] ?? '';
$name = $this->getRequestValue($request, 'name', '');
$json = json_decode($request['json'], true);
$users = $json['user'];

View file

@ -39,7 +39,7 @@ class Show extends BaseApi
$type = $this->parameters['extension'] ?? '';
// params
$gid = $request['gid'] ?? 0;
$gid = $this->getRequestValue($request, 'gid', 0);
// get data of the specified group id or all groups if not specified
if ($gid != 0) {

View file

@ -38,8 +38,8 @@ class Update extends BaseApi
$uid = BaseApi::getCurrentUserID();
// params
$gid = $request['gid'] ?? 0;
$name = $request['name'] ?? '';
$gid = $this->getRequestValue($request, 'gid', 0);
$name = $this->getRequestValue($request, 'name', '');
$json = json_decode($request['json'], true);
$users = $json['user'];

View file

@ -55,12 +55,12 @@ class Create extends BaseApi
$type = $this->parameters['extension'] ?? '';
// input params
$desc = $request['desc'] ?? null;
$album = $request['album'] ?? null;
$allow_cid = $request['allow_cid'] ?? null;
$deny_cid = $request['deny_cid' ] ?? null;
$allow_gid = $request['allow_gid'] ?? null;
$deny_gid = $request['deny_gid' ] ?? null;
$desc = $this->getRequestValue($request, 'desc');
$album = $this->getRequestValue($request, 'album');
$allow_cid = $this->getRequestValue($request, 'allow_cid');
$deny_cid = $this->getRequestValue($request, 'deny_cid');
$allow_gid = $this->getRequestValue($request, 'allow_gid');
$deny_gid = $this->getRequestValue($request, 'deny_gid');
// do several checks on input parameters
// we do not allow calls without album string

View file

@ -55,14 +55,14 @@ class Update extends BaseApi
$type = $this->parameters['extension'] ?? '';
// input params
$photo_id = $request['photo_id'] ?? null;
$desc = $request['desc'] ?? null;
$album = $request['album'] ?? null;
$album_new = $request['album_new'] ?? null;
$allow_cid = $request['allow_cid'] ?? null;
$deny_cid = $request['deny_cid' ] ?? null;
$allow_gid = $request['allow_gid'] ?? null;
$deny_gid = $request['deny_gid' ] ?? null;
$photo_id = $this->getRequestValue($request, 'photo_id');
$desc = $this->getRequestValue($request, 'desc');
$album = $this->getRequestValue($request, 'album');
$album_new = $this->getRequestValue($request, 'album_new');
$allow_cid = $this->getRequestValue($request, 'allow_cid');
$deny_cid = $this->getRequestValue($request, 'deny_cid');
$allow_gid = $this->getRequestValue($request, 'allow_gid');
$deny_gid = $this->getRequestValue($request, 'deny_gid');
// do several checks on input parameters
// we do not allow calls without album string

View file

@ -41,10 +41,10 @@ class Conversation extends BaseApi
// params
$id = $this->parameters['id'] ?? 0;
$since_id = $request['since_id'] ?? 0;
$max_id = $request['max_id'] ?? 0;
$count = $request['count'] ?? 20;
$page = $request['page'] ?? 1;
$since_id = $this->getRequestValue($request, 'since_id', 0);
$max_id = $this->getRequestValue($request, 'max_id', 0);
$count = $this->getRequestValue($request, 'count', 20);
$page = $this->getRequestValue($request, 'page', 1);
$start = max(0, ($page - 1) * $count);

View file

@ -58,12 +58,12 @@ abstract class DirectMessagesEndpoint extends BaseApi
protected function getMessages(array $request, int $uid, array $condition)
{
// params
$count = filter_var($request['count'] ?? 20, FILTER_VALIDATE_INT, ['options' => ['max_range' => 100]]);
$page = filter_var($request['page'] ?? 1, FILTER_VALIDATE_INT, ['options' => ['min_range' => 1]]);
$since_id = filter_var($request['since_id'] ?? 0, FILTER_VALIDATE_INT);
$max_id = filter_var($request['max_id'] ?? 0, FILTER_VALIDATE_INT);
$min_id = filter_var($request['min_id'] ?? 0, FILTER_VALIDATE_INT);
$verbose = filter_var($request['friendica_verbose'] ?? false, FILTER_VALIDATE_BOOLEAN);
$count = $this->getRequestValue($request, 'count', 20, 1, 100);
$page = $this->getRequestValue($request, 'page', 1, 1);
$since_id = $this->getRequestValue($request, 'since_id', 0, 1);
$max_id = $this->getRequestValue($request, 'max_id', 0, 1);
$min_id = $this->getRequestValue($request, 'min_id', 0, 1);
$verbose = $this->getRequestValue($request, 'friendica_verbose', false);
// pagination
$start = max(0, ($page - 1) * $count);

View file

@ -45,10 +45,10 @@ class Favorites extends BaseApi
Logger::info(BaseApi::LOG_PREFIX . 'for {self}', ['module' => 'api', 'action' => 'favorites']);
// params
$since_id = $request['since_id'] ?? 0;
$max_id = $request['max_id'] ?? 0;
$count = $request['count'] ?? 20;
$page = $request['page'] ?? 1;
$count = $this->getRequestValue($request, 'count', 20, 1, 100);
$page = $this->getRequestValue($request, 'page', 1, 1);
$since_id = $this->getRequestValue($request, 'since_id', 0, 1);
$max_id = $this->getRequestValue($request, 'max_id', 0, 1);
$start = max(0, ($page - 1) * $count);

View file

@ -60,7 +60,7 @@ class Create extends BaseApi
$uid = BaseApi::getCurrentUserID();
// params
$name = $request['name'] ?? '';
$name = $this->getRequestValue($request, 'name', '');
if ($name == '') {
throw new HTTPException\BadRequestException('group name not specified');

View file

@ -60,7 +60,7 @@ class Destroy extends BaseApi
$uid = BaseApi::getCurrentUserID();
// params
$gid = $request['list_id'] ?? 0;
$gid = $this->getRequestValue($request, 'list_id', 0);
// error if no gid specified
if ($gid == 0) {

View file

@ -65,12 +65,12 @@ class Statuses extends BaseApi
}
// params
$count = $request['count'] ?? 20;
$page = $request['page'] ?? 1;
$since_id = $request['since_id'] ?? 0;
$max_id = $request['max_id'] ?? 0;
$exclude_replies = (!empty($request['exclude_replies']) ? 1 : 0);
$conversation_id = $request['conversation_id'] ?? 0;
$count = $this->getRequestValue($request, 'count', 20);
$page = $this->getRequestValue($request, 'page', 1);
$since_id = $this->getRequestValue($request, 'since_id', 0);
$max_id = $this->getRequestValue($request, 'max_id', 0);
$exclude_replies = $this->getRequestValue($request, 'exclude_replies', false);
$conversation_id = $this->getRequestValue($request, 'conversation_id', 0);
$start = max(0, ($page - 1) * $count);
@ -83,7 +83,7 @@ class Statuses extends BaseApi
$condition[0] .= " AND `id` <= ?";
$condition[] = $max_id;
}
if ($exclude_replies > 0) {
if ($exclude_replies) {
$condition[0] .= ' AND `gravity` = ?';
$condition[] = GRAVITY_PARENT;
}

View file

@ -60,8 +60,8 @@ class Update extends BaseApi
$uid = BaseApi::getCurrentUserID();
// params
$gid = $request['list_id'] ?? 0;
$name = $request['name'] ?? '';
$gid = $this->getRequestValue($request, 'list_id', 0);
$name = $this->getRequestValue($request, 'name', '');
// error if no gid specified
if ($gid == 0) {

View file

@ -43,12 +43,12 @@ class HomeTimeline extends BaseApi
// get last network messages
// params
$count = $_REQUEST['count'] ?? 20;
$page = $_REQUEST['page'] ?? 0;
$since_id = $_REQUEST['since_id'] ?? 0;
$max_id = $_REQUEST['max_id'] ?? 0;
$exclude_replies = !empty($_REQUEST['exclude_replies']);
$conversation_id = $_REQUEST['conversation_id'] ?? 0;
$count = $this->getRequestValue($request, 'count', 20, 1, 100);
$page = $this->getRequestValue($request, 'page', 1, 1);
$since_id = $this->getRequestValue($request, 'since_id', 0, 1);
$max_id = $this->getRequestValue($request, 'max_id', 0, 1);
$exclude_replies = $this->getRequestValue($request, 'exclude_replies', false);
$conversation_id = $this->getRequestValue($request, 'conversation_id', 0);
$start = max(0, ($page - 1) * $count);

View file

@ -42,10 +42,10 @@ class Mentions extends BaseApi
// get last network messages
// params
$since_id = $_REQUEST['since_id'] ?? 0;
$max_id = $_REQUEST['max_id'] ?? 0;
$count = $_REQUEST['count'] ?? 20;
$page = $_REQUEST['page'] ?? 1;
$count = $this->getRequestValue($request, 'count', 20, 1, 100);
$page = $this->getRequestValue($request, 'page', 1, 1);
$since_id = $this->getRequestValue($request, 'since_id', 0, 1);
$max_id = $this->getRequestValue($request, 'max_id', 0, 1);
$start = max(0, ($page - 1) * $count);

View file

@ -41,12 +41,12 @@ class PublicTimeline extends BaseApi
// get last network messages
// params
$count = $_REQUEST['count'] ?? 20;
$page = $_REQUEST['page'] ?? 1;
$since_id = $_REQUEST['since_id'] ?? 0;
$max_id = $_REQUEST['max_id'] ?? 0;
$exclude_replies = (!empty($_REQUEST['exclude_replies']) ? 1 : 0);
$conversation_id = $_REQUEST['conversation_id'] ?? 0;
$count = $this->getRequestValue($request, 'count', 20, 1, 100);
$page = $this->getRequestValue($request, 'page', 1, 1);
$since_id = $this->getRequestValue($request, 'since_id', 0, 1);
$max_id = $this->getRequestValue($request, 'max_id', 0, 1);
$exclude_replies = $this->getRequestValue($request, 'exclude_replies', false);
$conversation_id = $this->getRequestValue($request, 'conversation_id', 0);
$start = max(0, ($page - 1) * $count);