From 7cde971f8b79579951df98384a5210d25f698af5 Mon Sep 17 00:00:00 2001
From: theWorstComrade <59704962+theWorstComrade@users.noreply.github.com>
Date: Tue, 29 Mar 2022 09:25:35 +0200
Subject: [PATCH] Module upload validation (#857)

https://huntr.dev/bounties/cb9a0393-be34-4021-a06c-00c7791c7622/
---
 .../Admin/Modules/UnzipModuleController.php   |  6 +--
 .../Admin/Modules/UploadModuleController.php  |  6 +--
 app/Http/Requests/UnzipUpdateRequest.php      | 37 +++++++++++++++++
 app/Http/Requests/UploadModuleRequest.php     | 40 +++++++++++++++++++
 4 files changed, 83 insertions(+), 6 deletions(-)
 create mode 100644 app/Http/Requests/UnzipUpdateRequest.php
 create mode 100644 app/Http/Requests/UploadModuleRequest.php

diff --git a/app/Http/Controllers/V1/Admin/Modules/UnzipModuleController.php b/app/Http/Controllers/V1/Admin/Modules/UnzipModuleController.php
index a0b427c71..ddffd7ce1 100644
--- a/app/Http/Controllers/V1/Admin/Modules/UnzipModuleController.php
+++ b/app/Http/Controllers/V1/Admin/Modules/UnzipModuleController.php
@@ -3,18 +3,18 @@
 namespace Crater\Http\Controllers\V1\Admin\Modules;
 
 use Crater\Http\Controllers\Controller;
+use Crater\Http\Requests\UnzipUpdateRequest;
 use Crater\Space\ModuleInstaller;
-use Illuminate\Http\Request;
 
 class UnzipModuleController extends Controller
 {
     /**
      * Handle the incoming request.
      *
-     * @param  \Illuminate\Http\Request  $request
+     * @param  \Crater\Http\Requests\UnzipUpdateRequest  $request
      * @return \Illuminate\Http\Response
      */
-    public function __invoke(Request $request)
+    public function __invoke(UnzipUpdateRequest $request)
     {
         $this->authorize('manage modules');
 
diff --git a/app/Http/Controllers/V1/Admin/Modules/UploadModuleController.php b/app/Http/Controllers/V1/Admin/Modules/UploadModuleController.php
index a700537f7..34b10687d 100644
--- a/app/Http/Controllers/V1/Admin/Modules/UploadModuleController.php
+++ b/app/Http/Controllers/V1/Admin/Modules/UploadModuleController.php
@@ -3,18 +3,18 @@
 namespace Crater\Http\Controllers\V1\Admin\Modules;
 
 use Crater\Http\Controllers\Controller;
+use Crater\Http\Requests\UploadModuleRequest;
 use Crater\Space\ModuleInstaller;
-use Illuminate\Http\Request;
 
 class UploadModuleController extends Controller
 {
     /**
      * Handle the incoming request.
      *
-     * @param  \Illuminate\Http\Request  $request
+     * @param  \Crater\Http\Requests\UploadModuleRequest  $request
      * @return \Illuminate\Http\Response
      */
-    public function __invoke(Request $request)
+    public function __invoke(UploadModuleRequest $request)
     {
         $this->authorize('manage modules');
 
diff --git a/app/Http/Requests/UnzipUpdateRequest.php b/app/Http/Requests/UnzipUpdateRequest.php
new file mode 100644
index 000000000..1557d6f37
--- /dev/null
+++ b/app/Http/Requests/UnzipUpdateRequest.php
@@ -0,0 +1,37 @@
+<?php
+
+namespace Crater\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class UnzipUpdateRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'path' => [
+                'required',
+                'regex:/^[\.\/\w\-]+$/'
+            ],
+            'module' => [
+                'required',
+                'string'
+            ]
+        ];
+    }
+}
diff --git a/app/Http/Requests/UploadModuleRequest.php b/app/Http/Requests/UploadModuleRequest.php
new file mode 100644
index 000000000..da5929417
--- /dev/null
+++ b/app/Http/Requests/UploadModuleRequest.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Crater\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class UploadModuleRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'avatar' => [
+                'required',
+                'file',
+                'mimes:zip',
+                'max:20000'
+            ],
+            'module' => [
+                'required',
+                'string',
+                'max:100'
+            ]
+        ];
+    }
+}