From 06a939bcd1f7a970db99132eb0ab1cd751157b00 Mon Sep 17 00:00:00 2001
From: Lucas <lucas@domain.invalid>
Date: Sun, 19 Feb 2023 18:09:44 +0000
Subject: [PATCH] api, backend: improve validations

Introduce a sub for validating page number.

Introduce a sub for validating tag name and allow non-ASCII characters.
---
 lib/PoorBooru.pm        |  6 ++++--
 lib/PoorBooru/API/V0.pm | 12 ++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/lib/PoorBooru.pm b/lib/PoorBooru.pm
index 8314860..5b93736 100644
--- a/lib/PoorBooru.pm
+++ b/lib/PoorBooru.pm
@@ -6,6 +6,8 @@ our $VERSION = v0.0.1;
 
 my $POORBOORU_API = setting("poorbooru_api");
 
+sub validate_page_number ($) { $_[0] =~ /^[1-9][0-9]*$/ }
+
 sub api_request ($$;%)
 {
 	my ($method, $path, $params_hashref) = @_;
@@ -60,7 +62,7 @@ hook before_template_render => sub {
 
 get "/" => sub {
 	my $page = query_parameters->get("page") // 1;
-	send_error("Invalid page number", 400) if $page !~ /^[1-9][0-9]*$/;
+	send_error("Invalid page number", 400) if !validate_page_number($page);
 
 	my $res = api_get("/media", { page => $page });
 	send_error("API error", 500) if !$res->{success};
@@ -81,7 +83,7 @@ get "/" => sub {
 
 get "/tags" => sub {
 	my $page = query_parameters->get("page") // 1;
-	send_error("Invalid page number", 400) if $page !~ /^[1-9][0-9]*$/;
+	send_error("Invalid page number", 400) if !validate_page_number($page);
 
 	my $res = api_get("/tags", { page => $page });
 	send_error("API error", 500) if !$res->{success};
diff --git a/lib/PoorBooru/API/V0.pm b/lib/PoorBooru/API/V0.pm
index b534f76..b5b27e3 100644
--- a/lib/PoorBooru/API/V0.pm
+++ b/lib/PoorBooru/API/V0.pm
@@ -10,8 +10,8 @@ use constant {
 	DEFAULT_CONTENT_TYPE => "application/json",
 };
 
-my $TAG_NAME_RE   = qr/^[0-9]*[A-Z_a-z][0-9A-Z_a-z]*$/;
-my $NUMERIC_ID_RE = qr/^[1-9][0-9]*$/;
+sub validate_page_number ($) { $_[0] =~ /^[1-9][0-9]*$/ }
+sub validate_tag_name ($)    { $_[0] !~ /^[1-9][0-9]*$/ && $_[0] =~ /^\w+$/ }
 
 my $MEDIA_SEARCH_OPTS = {
 	order_by => { -desc => "media_id" },
@@ -49,7 +49,7 @@ get "/meta" => sub {
 
 get "/tags" => sub {
 	my $page = query_parameters->get("page") // 1;
-	send_error("Invalid page number", 400) if $page !~ $NUMERIC_ID_RE;
+	send_error("Invalid page number", 400) if !validate_page_number($page);
 
 	my $paged_tags = schema("default")->resultset("TagsCountView")
 	    ->search({}, $TAGS_COUNT_VIEW_SEARCH_OPTS)->page($page);
@@ -70,7 +70,7 @@ post "/tags" => sub {
 	send_error("No tags provided", 400) if @tag_names == 0;
 	send_error("Too many tags provided", 400) if @tag_names > 100;
 	send_error("Invalid tag names", 400) if
-	    grep { $_ !~ $TAG_NAME_RE } @tag_names;
+	    grep { validate_tag_name($_) } @tag_names;
 
 	my @tags;
 	eval {
@@ -86,7 +86,7 @@ post "/tags" => sub {
 
 get "/tag/:tag_id_or_name" => sub {
 	my $page = query_parameters->get("page") // 1;
-	send_error("Invalid page number", 400) if $page !~ $NUMERIC_ID_RE;
+	send_error("Invalid page number", 400) if !validate_page_number($page);
 
 	my $tag_id_or_name = route_parameters->get("tag_id_or_name");
 
@@ -112,7 +112,7 @@ get "/tag/:tag_id_or_name" => sub {
 
 get "/media" => sub {
 	my $page = query_parameters->get("page") // 1;
-	send_error("Invalid page number", 400) if $page !~ $NUMERIC_ID_RE;
+	send_error("Invalid page number", 400) if !validate_page_number($page);
 
 	my $paged_media = schema("default")->resultset("Media")
 	    ->search({}, $MEDIA_SEARCH_OPTS)->page($page);