From cc4e3910867663c9d636bab47df6be531509f334 Mon Sep 17 00:00:00 2001 From: hariwij Date: Sat, 14 Sep 2024 02:15:30 +0530 Subject: [PATCH 1/2] Bug: fix issue #123 - Api allows to submit other's answers and get marks. --- .env.example | 3 ++- src/services/submission.js | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.env.example b/.env.example index ae87eac..eb6695f 100644 --- a/.env.example +++ b/.env.example @@ -19,4 +19,5 @@ SCOREKEEPER_REPO_OWNER= SCOREKEEPER_REPO_NAME= AZURE_CHALLENGE_UPLOAD_SAS_TOKEN= -AZURE_SOLUTION_DOWNLOAD_SAS_TOKEN= \ No newline at end of file +AZURE_SOLUTION_DOWNLOAD_SAS_TOKEN= +AZURE_FILE_URL_PATTERN= \ No newline at end of file diff --git a/src/services/submission.js b/src/services/submission.js index fe57af1..430cd9f 100644 --- a/src/services/submission.js +++ b/src/services/submission.js @@ -7,6 +7,10 @@ export const createSubmission = async ({ question: questionId, link }, user) => const question = await findQuestion({ _id: questionId }); if (!question) throw new createError(422, 'Invalid question ID'); if (!question.enabled) throw new createError(400, 'You cannot make a submission for a disabled question'); + + const chkurl = `${process.env.AZURE_FILE_URL_PATTERN}/${encodeURIComponent(user.name)}`; + if(!link.startsWith(chkurl)) throw new createError(422, 'Invalid submission link'); + const submission = await insertSubmission(user._id, questionId, link); initiateTesting( user.name, From cacfdc999e0b22e80fbe267a14bd7402496f2c22 Mon Sep 17 00:00:00 2001 From: Akalanka Perera Date: Sat, 14 Sep 2024 10:30:54 +0530 Subject: [PATCH 2/2] Refactor: check url construction --- .env.example | 3 ++- src/services/submission.js | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.env.example b/.env.example index eb6695f..b6461c9 100644 --- a/.env.example +++ b/.env.example @@ -20,4 +20,5 @@ SCOREKEEPER_REPO_NAME= AZURE_CHALLENGE_UPLOAD_SAS_TOKEN= AZURE_SOLUTION_DOWNLOAD_SAS_TOKEN= -AZURE_FILE_URL_PATTERN= \ No newline at end of file +AZURE_SOLUTION_UPLOAD_STORAGE_ACCOUNT= +AZURE_STORAGE_CONTAINER= \ No newline at end of file diff --git a/src/services/submission.js b/src/services/submission.js index 430cd9f..b566302 100644 --- a/src/services/submission.js +++ b/src/services/submission.js @@ -8,8 +8,9 @@ export const createSubmission = async ({ question: questionId, link }, user) => if (!question) throw new createError(422, 'Invalid question ID'); if (!question.enabled) throw new createError(400, 'You cannot make a submission for a disabled question'); - const chkurl = `${process.env.AZURE_FILE_URL_PATTERN}/${encodeURIComponent(user.name)}`; - if(!link.startsWith(chkurl)) throw new createError(422, 'Invalid submission link'); + const checkUrl = `https://${process.env.AZURE_SOLUTION_UPLOAD_STORAGE_ACCOUNT}.blob.core.windows.net/${process.env.AZURE_STORAGE_CONTAINER}/${encodeURIComponent(user.name)}`; + + if(!link.startsWith(checkUrl)) throw new createError(422, 'Invalid submission link'); const submission = await insertSubmission(user._id, questionId, link); initiateTesting(