From 3fc1eea801798918e2ba0f26db7b2cc8075f5fdc Mon Sep 17 00:00:00 2001
From: pushrbx <contact@pushrbx.net>
Date: Sat, 15 Jul 2023 15:26:48 +0100
Subject: [PATCH] added validation against new line and weird characters in `q`
 parameter of the search endpoint

---
 app/Dto/SearchCommand.php             | 1 -
 app/Features/SearchRequestHandler.php | 8 ++++++++
 app/Rules/MaxResultsPerPageRule.php   | 4 +---
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/Dto/SearchCommand.php b/app/Dto/SearchCommand.php
index 8328ea1..870934b 100644
--- a/app/Dto/SearchCommand.php
+++ b/app/Dto/SearchCommand.php
@@ -7,7 +7,6 @@ use App\Dto\Concerns\HasLimitParameter;
 use App\Dto\Concerns\HasPageParameter;
 use App\Enums\SortDirection;
 use App\Rules\Attributes\EnumValidation;
-use Spatie\Enum\Laravel\Rules\EnumRule;
 use Spatie\LaravelData\Attributes\Validation\Alpha;
 use Spatie\LaravelData\Attributes\Validation\Max;
 use Spatie\LaravelData\Attributes\Validation\Prohibits;
diff --git a/app/Features/SearchRequestHandler.php b/app/Features/SearchRequestHandler.php
index e4851cf..b665e96 100644
--- a/app/Features/SearchRequestHandler.php
+++ b/app/Features/SearchRequestHandler.php
@@ -10,6 +10,7 @@ use Illuminate\Http\Resources\Json\JsonResource;
 use Illuminate\Http\Resources\Json\ResourceCollection;
 use Illuminate\Http\Response;
 use Illuminate\Support\Collection;
+use Illuminate\Validation\ValidationException;
 use Spatie\Enum\Laravel\Enum;
 
 /**
@@ -30,6 +31,13 @@ abstract class SearchRequestHandler implements RequestHandler
     {
         // note: ->all() doesn't transform the dto, all the parsed data is returned as it was parsed. (and validated)
         $requestData = collect($request->all());
+        $prohibitedSearchCharacters = collect(["\n", "\\n", "\r", "\t", "\0", "%0A"]);
+        if (in_array($requestData->get("q", ""), $prohibitedSearchCharacters->toArray())
+            || $prohibitedSearchCharacters->filter(fn($value) => strpos($requestData->get("q", ""), $value) !== false)->count() > 0) {
+            throw ValidationException::withMessages([
+                "q" => "The q parameter cannot contain any of the following characters: \\n, \\r, \\t, \\0, %0A"
+            ]);
+        }
         $builder = $this->queryBuilderService->query(
             $this->prepareOrderByParam($requestData)
         );
diff --git a/app/Rules/MaxResultsPerPageRule.php b/app/Rules/MaxResultsPerPageRule.php
index 4d5bebb..bac6ccd 100644
--- a/app/Rules/MaxResultsPerPageRule.php
+++ b/app/Rules/MaxResultsPerPageRule.php
@@ -3,8 +3,6 @@
 namespace App\Rules;
 
 use Illuminate\Contracts\Validation\Rule;
-use Illuminate\Support\Env;
-use Illuminate\Support\Facades\App;
 
 final class MaxResultsPerPageRule implements Rule
 {
@@ -37,7 +35,7 @@ final class MaxResultsPerPageRule implements Rule
 
     public function message(): array|string
     {
-        $mrpp = max_results_per_page();
+        $mrpp = max_results_per_page($this->fallbackLimit);
         return "Value {$this->value} is higher than the configured '$mrpp' max value.";
     }
 }