Made security fixes

berrysauce · Aug 24, 2023 · 2453313 · 2453313
1 parent f3bbe05
commit 2453313
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 7 deletions.
diff --git a/ingredients.py b/ingredients.py
@@ -17,10 +17,10 @@ def scan(url):
     try:
         r = httpx.get(url)
     except httpx.ConnectError:
-        raise Exception("Invalid URL")
+        raise httpx.InvalidURL("Invalid URL")
 
     if r.status_code != 200:
-        raise Exception(f"Error: Invalid Request Status Code ({r.status_code})")
+        raise httpx.RequestError(f"Invalid Request Status Code ({r.status_code})")
 
     soup = bs4.BeautifulSoup(r.text, "html.parser")
 

diff --git a/main.py b/main.py
@@ -1,6 +1,8 @@
 import uvicorn
 from fastapi import FastAPI, Response, status
 from fastapi.responses import JSONResponse, HTMLResponse
+from urllib.parse import urlparse
+import httpx
 
 # local imports
 import ingredients
@@ -21,30 +23,51 @@ def get_root():
 
 @app.get("/scan", response_class=JSONResponse)
 def get_scan(url: str, response: Response):
+
+    # Parse URL and remove port, query, and fragment
+    r = urlparse(url)
+    parsed_url = r.scheme + "://" + r.netloc.split(":")[0] + r.path
+
     try:
-        data = ingredients.scan(url)
+        data = ingredients.scan(parsed_url)
         return data
-    except Exception as e:
+    except httpx.InvalidURL as e:
         response.status_code = status.HTTP_400_BAD_REQUEST
         return {
             "error": str(e)
         }
+    except httpx.RequestError as e:
+        response.status_code = status.HTTP_400_BAD_REQUEST
+        return {
+            "error": str(e)
+        }
+    except:
+        return {
+            "error": "An error occured while scanning the URL"
+        }
 
 
 @app.get("/icon/{icon}")
 def get_icon(icon: str, response: Response):
+    # increase compatibility
+    if ".png" not in icon:
+        icon += ".png"
+
+    # parse icon and remove path, query, and fragment
+    parsed_icon = icon.lower().split("/")[0].split("?")[0].split("#")[0]
+
     try:
-        with open("./icons/" + icon, "rb") as f:
+        with open("./icons/" + parsed_icon, "rb") as f:
             return Response(content=f.read(), media_type="image/png")
     except FileNotFoundError:
         response.status_code = status.HTTP_404_NOT_FOUND
         return {
             "error": "Icon not found"
         }
-    except Exception as e:
+    except:
         response.status_code = status.HTTP_400_BAD_REQUEST
         return {
-            "error": str(e)
+            "error": "An error occured while fetching the icon"
         }