173 Updates TZP dapp to sanitize network type at all possible inputs,…

… adds explicit checks for vec access in worker
spruceid · Dec 2, 2021 · b7fe352 · b7fe352
1 parent 758b89d
commit b7fe352
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 19 deletions.
diff --git a/dapp/src/routes/Search/Search.svelte b/dapp/src/routes/Search/Search.svelte
@@ -10,7 +10,7 @@
   import { useNavigate } from 'svelte-navigator';
   import { onMount } from 'svelte';
   import { defaultSearchOpts, search, network, alert } from 'src/store';
-  import type NetworkType from 'enumsNetworkType';
+  import NetworkType from 'enumsNetworkType';
   import { findAddressFromDomain } from './searchHelper';
   import './search.scss';
 
@@ -32,7 +32,9 @@
   };
 
   const setSelectedNetwork = () => {
-    network.set(localNetwork as NetworkType);
+    if (Object.values(NetworkType).includes(localNetwork as NetworkType)) {
+      network.set(localNetwork as NetworkType);
+    }
   };
 
   const searchProfiles = async () => {

diff --git a/dapp/src/routes/View.svelte b/dapp/src/routes/View.svelte
@@ -8,7 +8,7 @@
     search,
     network,
   } from 'src/store';
-  import type NetworkType from 'enumsNetworkType';
+  import NetworkType from 'enumsNetworkType';
   import { BasePage, LoadingSpinner, PublicProfileView } from 'components';
 
   const params = useParams();
@@ -21,9 +21,13 @@
   onMount(() => {
     // TODO: Generalize over claim types?
     if (!$searchClaims?.basic.content || !$searchClaims?.twitter.content) {
-      network.set(
-        ($params.network as NetworkType) || ('mainnet' as NetworkType)
-      );
+      const n = $params.network;
+      if (Object.values(NetworkType).includes(n as NetworkType)) {
+        network.set(n as NetworkType);
+      } else {
+        network.set(NetworkType.MAINNET)
+      }
+
       fetching = true;
       search($params.address, defaultSearchOpts).finally(() => {
         fetching = false;

diff --git a/dapp/src/store.ts b/dapp/src/store.ts
@@ -391,8 +391,13 @@ wallet.subscribe((w) => {
   }
 });
 
-network.subscribe((network) => {
-  if (network === NetworkType.CUSTOM) {
+network.subscribe((n) => {
+  if (!Object.values(NetworkType).includes(n as NetworkType)) {
+    network.set(NetworkType.MAINNET)
+    return
+  }
+
+  if (n === NetworkType.CUSTOM) {
     networkStr.set('custom');
     // TODO can't read from writeable, but then I don't understand why others work.
     networkStrTemp = 'custom';
@@ -404,12 +409,12 @@ network.subscribe((network) => {
     tzktBaseTemp = 'http://localhost:5000';
     tzktBase.set(tzktBaseTemp);
   } else {
-    networkStr.set(network);
+    networkStr.set(n);
     // TODO can't read from writeable, but then I don't understand why others work.
-    networkStrTemp = network;
-    strNetwork = network;
+    networkStrTemp = n;
+    strNetwork = n;
 
-    urlNode = `https://${network}.api.tez.ie/`;
+    urlNode = `https://${n}.api.tez.ie/`;
     nodeUrl.set(urlNode);
 
     tzktBaseTemp = `https://api.${networkStrTemp}.tzkt.io`;

diff --git a/worker/src/dns.rs b/worker/src/dns.rs
@@ -21,12 +21,17 @@ pub struct AnswerResponse {
 
 pub fn find_signature_to_resolve(dns_result: DnsResponse) -> Result<String> {
     for answer in dns_result.answer {
-        let mut trimmed_signature: &str = &answer.data;
-        if trimmed_signature.starts_with('"') && trimmed_signature.ends_with('"') {
-            trimmed_signature = &answer.data[1..answer.data.len() - 1];
+        let mut trimmed_signature = answer.data.to_string();
+        if trimmed_signature.starts_with('"') {
+            trimmed_signature = trimmed_signature.trim_start_matches('"').to_string();
         }
+
+        if trimmed_signature.ends_with('"') {
+            trimmed_signature = trimmed_signature.trim_end_matches('"').to_string();
+        }
+
         if trimmed_signature.starts_with("tzprofiles-verification") {
-            return Ok(trimmed_signature.to_string());
+            return Ok(trimmed_signature);
         }
     }
 

diff --git a/worker/src/lib.rs b/worker/src/lib.rs
@@ -194,16 +194,28 @@ pub async fn witness_tweet(
         let sk: JWK = jserr!(serde_json::from_str(&secret_key_jwk));
         let twitter_res = jserr!(twitter::retrieve_tweet(twitter_token, tweet_id.clone()).await);
         let mut vc = jserr!(twitter::build_twitter_vc(&pk, &twitter_handle));
+        let user = match twitter_res.includes.users.first() {
+            Some(u) => u,
+            None => {
+                jserr!(Err(anyhow!("Could not find user in Twitter API Response")));
+            }
+        };
 
-        if twitter_handle.to_lowercase() != twitter_res.includes.users[0].username.to_lowercase() {
+        if twitter_handle.to_lowercase() != user.username.to_lowercase() {
             jserr!(Err(anyhow!(format!(
                 "Different twitter handle {} v. {}",
                 twitter_handle.to_lowercase(),
-                twitter_res.includes.users[0].username.to_lowercase()
+                user.username.to_lowercase()
             ))));
         }
+        let data = match twitter_res.data.first() {
+            Some(d) => d,
+            None => {
+                jserr!(Err(anyhow!("Could not find tweet text data in Twitter API Response")));
+            }
+        };
 
-        let (sig_target, sig) = jserr!(extract_signature(twitter_res.data[0].text.clone()));
+        let (sig_target, sig) = jserr!(extract_signature(data.text.clone()));
 
         let correct_attestation = attest(SubjectType::Twitter(Subject {
             id: twitter_handle.clone(),