summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorBen Morrison <ben@gbmor.dev>2019-06-14 00:31:17 -0400
committerBen Morrison <ben@gbmor.dev>2019-06-14 00:31:23 -0400
commit79c5696cb46abb110966f7db1bf2d55dbc63bb1d (patch)
tree01c951be5921316c2de8382e4ff5527dc4d6da99
parent1e0e919565dbd23e423fe9055a755a55bf971efb (diff)
downloadgetwtxt-79c5696cb46abb110966f7db1bf2d55dbc63bb1d.tar.gz
prevent potential ddos via circular registry POST v0.4.2
-rw-r--r--svc/post.go7
1 files changed, 6 insertions, 1 deletions
diff --git a/svc/post.go b/svc/post.go
index 34ae92f..46032b9 100644
--- a/svc/post.go
+++ b/svc/post.go
@@ -3,6 +3,7 @@ package svc // import "github.com/getwtxt/getwtxt/svc"
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/getwtxt/registry"
 )
@@ -35,6 +36,10 @@ func apiPostUser(w http.ResponseWriter, r *http.Request) {
 
 	switch remoteRegistry {
 	case true:
+		if strings.Contains(urls, confObj.Instance.URL) {
+			errHTTP(w, r, fmt.Errorf("can't submit this registry to itself"), http.StatusBadRequest)
+			break
+		}
 		remoteRegistries.List = append(remoteRegistries.List, urls)
 
 		if err := twtxtCache.CrawlRemoteRegistry(urls); err != nil {
@@ -49,7 +54,7 @@ func apiPostUser(w http.ResponseWriter, r *http.Request) {
 
 		if err := twtxtCache.AddUser(nick, urls, "", uip, statuses); err != nil {
 			errHTTP(w, r, fmt.Errorf("error adding user to cache: %v", err.Error()), http.StatusBadRequest)
-			return
+			break
 		}
 
 		_, err = w.Write([]byte(fmt.Sprintf("200 OK\n")))