Ryan/drop
1
0
Fork 0
mirror of https://github.com/Drop-OSS/drop.git synced 2025-11-12 15:52:39 +10:00
Code Issues Packages Projects Releases Wiki Activity

fix: info leak in screenshots api

Browse Source
This commit is contained in:
Huskydog9988
2025-05-27 15:14:50 -04:00
parent 4b009f1aca
commit 0816d2ab3e
3 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
server/api/v1/screenshots/[id]/index.delete.ts
View File

@ -16,12 +16,11 @@ export default defineEventHandler(async (h3) => {
const result = await screenshotManager.get(screenshotId); const result = await screenshotManager.get(screenshotId);
if (!result) if (!result)
throw createError({ throw createError({
statusCode: 400, statusCode: 404,
statusMessage: "Incorrect screenshot ID",
}); });
else if (result.userId !== userId) else if (result.userId !== userId)
throw createError({ throw createError({
statusCode: 403, statusCode: 404,
}); });
await screenshotManager.delete(screenshotId); await screenshotManager.delete(screenshotId);

5
server/api/v1/screenshots/[id]/index.get.ts
View File

@ -16,12 +16,11 @@ export default defineEventHandler(async (h3) => {
const result = await screenshotManager.get(screenshotId); const result = await screenshotManager.get(screenshotId);
if (!result) if (!result)
throw createError({ throw createError({
statusCode: 400, statusCode: 404,
statusMessage: "Incorrect screenshot ID",
}); });
else if (result.userId !== userId) else if (result.userId !== userId)
throw createError({ throw createError({
statusCode: 403, statusCode: 404,
}); });
return result; return result;
}); });

26
server/internal/screenshots/index.ts
View File

@ -5,6 +5,11 @@ import stream from "node:stream/promises";
import prisma from "../db/database"; import prisma from "../db/database";
class ScreenshotManager { class ScreenshotManager {
/**
* Gets a specific screenshot
* @param id
* @returns
*/
async get(id: string) { async get(id: string) {
return await prisma.screenshot.findUnique({ return await prisma.screenshot.findUnique({
where: { where: {
@ -13,6 +18,11 @@ class ScreenshotManager {
}); });
} }
/**
* Get all user screenshots
* @param userId
* @returns
*/
async getUserAll(userId: string) { async getUserAll(userId: string) {
const results = await prisma.screenshot.findMany({ const results = await prisma.screenshot.findMany({
where: { where: {
@ -22,6 +32,12 @@ class ScreenshotManager {
return results; return results;
} }
/**
* Get all user screenshots in a specific game
* @param userId
* @param gameId
* @returns
*/
async getUserAllByGame(userId: string, gameId: string) { async getUserAllByGame(userId: string, gameId: string) {
const results = await prisma.screenshot.findMany({ const results = await prisma.screenshot.findMany({
where: { where: {
@ -32,6 +48,10 @@ class ScreenshotManager {
return results; return results;
} }
/**
* Delete a specific screenshot
* @param id
*/
async delete(id: string) { async delete(id: string) {
await prisma.screenshot.delete({ await prisma.screenshot.delete({
where: { where: {
@ -40,6 +60,12 @@ class ScreenshotManager {
}); });
} }
/**
* Allows a user to upload a screenshot
* @param userId
* @param gameId
* @param inputStream
*/
async upload(userId: string, gameId: string, inputStream: IncomingMessage) { async upload(userId: string, gameId: string, inputStream: IncomingMessage) {
const objectId = randomUUID(); const objectId = randomUUID();
const saveStream = await objectHandler.createWithStream( const saveStream = await objectHandler.createWithStream(