fix(incoming-webhook): simple script DoS protection

ncarlier · Nov 11, 2022 · eb0b7e9 · eb0b7e9
1 parent 3cf9823
commit eb0b7e9
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 8 deletions.
diff --git a/pkg/scripting/operation.go b/pkg/scripting/operation.go
@@ -24,6 +24,14 @@ type Operation struct {
 	Args []string
 }
 
+// GetFirstArg retrn first operation argument
+func (op Operation) GetFirstArg() string {
+	if len(op.Args) > 0 {
+		return op.Args[0]
+	}
+	return ""
+}
+
 // OperationStack is a stack of operation
 type OperationStack []Operation
 

diff --git a/pkg/service/scripting.go b/pkg/service/scripting.go
@@ -63,25 +63,31 @@ func (reg *Registry) processArticleByScriptEngine(ctx context.Context, alias str
 
 func (reg *Registry) execSetOperations(ctx context.Context, ops scripting.OperationStack, article *model.ArticleCreateForm) {
 	uid := getCurrentUserIDFromContext(ctx)
+	category := ""
 	for _, op := range ops {
-		value := op.Args[0]
 		switch op.Name {
 		case scripting.OpSetCategory:
-			// set category
-			if cat, err := reg.db.GetCategoryByUserAndTitle(uid, value); err == nil && cat != nil {
-				article.CategoryID = cat.ID
-			}
+			// only execute last setCategory operation
+			category = op.GetFirstArg()
 		case scripting.OpSetText:
 			// set text
-			article.Text = &value
+			text := op.GetFirstArg()
+			article.Text = &text
 		case scripting.OpSetTitle:
 			// set title
-			article.Title = value
+			article.Title = op.GetFirstArg()
+		}
+	}
+	if category != "" {
+		if cat, err := reg.db.GetCategoryByUserAndTitle(uid, category); err == nil && cat != nil {
+			article.CategoryID = cat.ID
 		}
 	}
 }
 
 func (reg *Registry) execOtherOperations(ctx context.Context, ops scripting.OperationStack, article *model.Article) error {
+	// allows only 2 webhook trigger
+	hardLimitCounter := 2
 	for _, op := range ops {
 		switch op.Name {
 		case scripting.OpSendNotification:
@@ -99,7 +105,11 @@ func (reg *Registry) execOtherOperations(ctx context.Context, ops scripting.Oper
 				return err
 			}
 		case scripting.OpTriggerWebhook:
-			name := op.Args[0]
+			if hardLimitCounter == 0 {
+				continue
+			}
+			hardLimitCounter--
+			name := op.GetFirstArg()
 			if err := reg.SendArticle(ctx, article.ID, &name); err != nil {
 				return err
 			}