mattermost-community · mickmister · Sep 14, 2023 · Jul 5, 2023 · Jul 12, 2023 · Jul 18, 2023
@@ -152,6 +152,13 @@ func (p *Plugin) handleTelemetry(w http.ResponseWriter, r *http.Request) {
 		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", err)
 		return
 	}
+	r.Body.Close()
+
+	if telemetryRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
 
 	if telemetryRequest.Event != "" {
 		p.trackFrontend(userID, telemetryRequest.Event, telemetryRequest.Properties)
@@ -180,9 +187,16 @@ func (p *Plugin) handleAdd(w http.ResponseWriter, r *http.Request) {
 		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", err)
 		return
 	}
+	r.Body.Close()
 
 	senderName := p.listManager.GetUserName(userID)
 
+	if addRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	if addRequest.SendTo == "" {
 		_, err = p.listManager.AddIssue(userID, addRequest.Message, addRequest.Description, addRequest.PostID)
 		if err != nil {
@@ -349,6 +363,12 @@ func (p *Plugin) handleEdit(w http.ResponseWriter, r *http.Request) {
 	}
 	r.Body.Close()
 
+	if editRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	foreignUserID, list, oldMessage, err := p.listManager.EditIssue(userID, editRequest.ID, editRequest.Message, editRequest.Description)
 	if err != nil {
 		p.API.LogError("Unable to edit message: err=" + err.Error())
@@ -395,6 +415,12 @@ func (p *Plugin) handleChangeAssignment(w http.ResponseWriter, r *http.Request)
 	}
 	r.Body.Close()
 
+	if changeRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
+
 	if changeRequest.SendTo == "" {
 		http.Error(w, "No user specified", http.StatusBadRequest)
 		return
@@ -449,6 +475,13 @@ func (p *Plugin) handleAccept(w http.ResponseWriter, r *http.Request) {
 		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", err)
 		return
 	}
+	r.Body.Close()
+
+	if acceptRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
 
 	todoMessage, sender, err := p.listManager.AcceptIssue(userID, acceptRequest.ID)
 	if err != nil {
@@ -485,6 +518,13 @@ func (p *Plugin) handleComplete(w http.ResponseWriter, r *http.Request) {
 		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", err)
 		return
 	}
+	r.Body.Close()
+
+	if completeRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
 
 	issue, foreignID, listToUpdate, err := p.listManager.CompleteIssue(userID, completeRequest.ID)
 	if err != nil {
@@ -530,6 +570,13 @@ func (p *Plugin) handleRemove(w http.ResponseWriter, r *http.Request) {
 		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", err)
 		return
 	}
+	r.Body.Close()
+
+	if removeRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
 
 	issue, foreignID, isSender, listToUpdate, err := p.listManager.RemoveIssue(userID, removeRequest.ID)
 	if err != nil {
@@ -581,6 +628,13 @@ func (p *Plugin) handleBump(w http.ResponseWriter, r *http.Request) {
 		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", err)
 		return
 	}
+	r.Body.Close()
+
+	if bumpRequest == nil {
+		p.API.LogError("Invalid request body")
+		p.handleErrorWithCode(w, http.StatusBadRequest, "Unable to decode JSON", errors.New("invalid request body"))
+		return
+	}
 
 	todoMessage, foreignUser, foreignIssueID, err := p.listManager.BumpIssue(userID, bumpRequest.ID)
 	if err != nil {