Add UUID validation for uid parameter in API views

Ehco1996 · Jan 12, 2024 · 6403561 · 6403561
1 parent 5df53e1
commit 6403561
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/apps/api/views.py b/apps/api/views.py
@@ -1,3 +1,5 @@
+import uuid
+
 import pendulum
 from django.conf import settings
 from django.contrib.auth.decorators import login_required, permission_required
@@ -58,7 +60,14 @@ class SubscribeView(View):
     def get(self, request):
         user = None
         if uid := request.GET.get("uid"):
-            user = User.objects.filter(uid=uid).first()
+            # check if uid is valid
+            try:
+                uuid.UUID(uid)
+            except ValueError:
+                return HttpResponseBadRequest("invalid uid")
+        else:
+            return HttpResponseBadRequest("uid is required")
+        user = User.objects.filter(uid=uid).first()
         if not user:
             return HttpResponseBadRequest("user not found")
         node_list = m.ProxyNode.get_user_active_nodes(user)
@@ -83,7 +92,14 @@ class ClashProxyProviderView(View):
     def get(self, request):
         user = None
         if uid := request.GET.get("uid"):
-            user = User.objects.filter(uid=uid).first()
+            # check if uid is valid
+            try:
+                uuid.UUID(uid)
+            except ValueError:
+                return HttpResponseBadRequest("invalid uid")
+        else:
+            return HttpResponseBadRequest("uid is required")
+        user = User.objects.filter(uid=uid).first()
         if not user:
             return HttpResponseBadRequest("user not found")
         node_list = m.ProxyNode.get_user_active_nodes(user)