[MI-3240]:Fixed security issue [MM-53425] of TODO plugin (#1)

* [MI-3240]:Fixed security issue [MM-53425] of TODO plugin

* [MI-3240]:Fixed review comments

server/plugin.go

@@ -153,6 +153,12 @@ func (p *Plugin) handleTelemetry(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if telemetryRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	if telemetryRequest.Event != "" {
 		p.trackFrontend(userID, telemetryRequest.Event, telemetryRequest.Properties)
 	}
@@ -183,6 +189,12 @@ func (p *Plugin) handleAdd(w http.ResponseWriter, r *http.Request) {
 
 	senderName := p.listManager.GetUserName(userID)
 
+	if addRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	if addRequest.SendTo == "" {
 		_, err = p.listManager.AddIssue(userID, addRequest.Message, addRequest.Description, addRequest.PostID)
 		if err != nil {
@@ -349,6 +361,12 @@ func (p *Plugin) handleEdit(w http.ResponseWriter, r *http.Request) {
 	}
 	r.Body.Close()
 
+	if editRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	foreignUserID, list, oldMessage, err := p.listManager.EditIssue(userID, editRequest.ID, editRequest.Message, editRequest.Description)
 	if err != nil {
 		p.API.LogError("Unable to edit message: err=" + err.Error())
@@ -395,6 +413,12 @@ func (p *Plugin) handleChangeAssignment(w http.ResponseWriter, r *http.Request)
 	}
 	r.Body.Close()
 
+	if changeRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	if changeRequest.SendTo == "" {
 		http.Error(w, "No user specified", http.StatusBadRequest)
 		return
@@ -450,6 +474,12 @@ func (p *Plugin) handleAccept(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if acceptRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	todoMessage, sender, err := p.listManager.AcceptIssue(userID, acceptRequest.ID)
 	if err != nil {
 		p.API.LogError("Unable to accept issue err=" + err.Error())
@@ -486,6 +516,12 @@ func (p *Plugin) handleComplete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if completeRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	issue, foreignID, listToUpdate, err := p.listManager.CompleteIssue(userID, completeRequest.ID)
 	if err != nil {
 		p.API.LogError("Unable to complete issue err=" + err.Error())
@@ -531,6 +567,12 @@ func (p *Plugin) handleRemove(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if removeRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	issue, foreignID, isSender, listToUpdate, err := p.listManager.RemoveIssue(userID, removeRequest.ID)
 	if err != nil {
 		p.API.LogError("Unable to remove issue, err=" + err.Error())
@@ -582,6 +624,12 @@ func (p *Plugin) handleBump(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if bumpRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	todoMessage, foreignUser, foreignIssueID, err := p.listManager.BumpIssue(userID, bumpRequest.ID)
 	if err != nil {
 		p.API.LogError("Unable to bump issue, err=" + err.Error())