From ea687d2faa931e00967ff0f10ee9e4a5163969df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20M=C3=BCller?= <chrmllr@gmail.com>
Date: Sun, 24 Sep 2017 11:13:38 +0200
Subject: [PATCH] id check implemented

---
 render.go  |  8 +++++++-
 server.go  |  6 ++++--
 storage.go | 13 ++++++++++++-
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/render.go b/render.go
index 244c613..6745450 100644
--- a/render.go
+++ b/render.go
@@ -31,6 +31,12 @@ var (
 	errorBadRequest  = errors.New("password is empty")
 )
 
+func statusNote(code int) *Note {
+	n := &Note{Text: "# " + statuses[code]}
+	n.prepare()
+	return n
+}
+
 func (n *Note) prepare() {
 	fstLine := rexpNewLine.Split(n.Text, -1)[0]
 	maxLength := 25
@@ -54,7 +60,7 @@ func md2html(c echo.Context, name string) (*Note, int) {
 	if err != nil {
 		c.Logger().Errorf("couldn't open markdown page %s: %v", path, err)
 		code := http.StatusServiceUnavailable
-		return &Note{Title: statuses[code], Text: "# " + statuses[code]}, code
+		return statusNote(code), code
 	}
 	c.Logger().Debugf("rendering markdown page %s", name)
 	return &Note{Title: name, Content: mdTmplHTML(mdContent)}, http.StatusOK
diff --git a/server.go b/server.go
index 2f5038f..410d218 100644
--- a/server.go
+++ b/server.go
@@ -70,7 +70,6 @@ func main() {
 	e.GET("/:id", func(c echo.Context) error {
 		n, code := load(c, db)
 		defer incViews(n)
-		n.prepare()
 		if fraudelent(n) {
 			n.Ads = mdTmplHTML(ads)
 		}
@@ -81,7 +80,10 @@ func main() {
 	e.GET("/:id/export", func(c echo.Context) error {
 		n, code := load(c, db)
 		c.Logger().Debugf("/%s/export requested; response code: %d", n.ID, code)
-		return c.String(code, n.Text)
+		if code == http.StatusOK {
+			return c.String(code, n.Text)
+		}
+		return c.Render(code, "Note", n)
 	})
 
 	e.GET("/:id/stats", func(c echo.Context) error {
diff --git a/storage.go b/storage.go
index 3b16eea..4a85989 100644
--- a/storage.go
+++ b/storage.go
@@ -9,6 +9,7 @@ import (
 	"html/template"
 	"math/rand"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"
 
@@ -21,6 +22,8 @@ func init() {
 
 const idLength = 5
 
+var rexpNoteID = regexp.MustCompile("[a-z0-9]+")
+
 type Note struct {
 	ID, Title, Text, Password, DeprecatedPassword string
 	Published, Edited                             time.Time
@@ -39,6 +42,9 @@ func save(c echo.Context, db *sql.DB, n *Note) (*Note, error) {
 	if n.ID == "" {
 		return insert(c, db, n)
 	}
+	if !rexpNoteID.Match([]byte(n.ID)) {
+		return nil, errorBadRequest
+	}
 	return update(c, db, n)
 }
 
@@ -115,6 +121,10 @@ func randId() string {
 
 func load(c echo.Context, db *sql.DB) (*Note, int) {
 	q := c.Param("id")
+	if !rexpNoteID.Match([]byte(q)) {
+		code := http.StatusNotFound
+		return statusNote(code), code
+	}
 	c.Logger().Debugf("loading note %s", q)
 	stmt, _ := db.Prepare("select * from notes where id = ?")
 	defer stmt.Close()
@@ -125,7 +135,7 @@ func load(c echo.Context, db *sql.DB) (*Note, int) {
 	var views int
 	if err := row.Scan(&id, &text, &published, &editedVal, &password, &views); err != nil {
 		code := http.StatusNotFound
-		return &Note{Title: statuses[code], Text: "# " + statuses[code]}, code
+		return statusNote(code), code
 	}
 	n := &Note{
 		ID:        id,
@@ -136,5 +146,6 @@ func load(c echo.Context, db *sql.DB) (*Note, int) {
 	if editedVal != nil {
 		n.Edited = editedVal.(time.Time)
 	}
+	n.prepare()
 	return n, http.StatusOK
 }