Skip to content

Commit

Permalink
fix(captcha): sanitize form body (#1098)
Browse files Browse the repository at this point in the history 
<!-- Please make sure there is an issue that this PR is correlated to. -->
Fixes RVTEE-566

**All unit tests pass**
## Changes

<!-- If there are frontend changes, please include screenshots. -->
  • Loading branch information
@MasterPtato
MasterPtato committed Aug 27, 2024
1 parent 2c8ae1c commit 9b56efc
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 15 deletions.
17 changes: 9 additions & 8 deletions svc/pkg/captcha/ops/hcaptcha-verify/src/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
use std::collections::HashMap;

use proto::backend::pkg::*;
use rivet_operation::prelude::*;

Expand All @@ -23,16 +25,15 @@ async fn handle(
util::env::read_secret(&["hcaptcha", "secret"]).await?
};

let mut params = HashMap::new();
params.insert("response", &ctx.client_response);
params.insert("secret", &secret_key);
params.insert("sitekey", &ctx.site_key);
params.insert("remoteip", &ctx.remote_address);

let res = client
.post("https://hcaptcha.com/siteverify")
.header("content-type", "application/x-www-form-urlencoded")
.body(format!(
"response={client_response}&secret={secret}&sitekey={site_key}&remoteip={remote_address}",
client_response = ctx.client_response,
secret = secret_key,
site_key = ctx.site_key,
remote_address = ctx.remote_address,
))
.form(&params)
.send()
.await?
.json::<VerifyResponse>()
Expand Down
15 changes: 8 additions & 7 deletions svc/pkg/captcha/ops/turnstile-verify/src/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
use std::collections::HashMap;

use proto::backend::pkg::*;
use rivet_operation::prelude::*;

Expand All @@ -17,15 +19,14 @@ async fn handle(
) -> GlobalResult<captcha::turnstile_verify::Response> {
let client = reqwest::Client::new();

let mut params = HashMap::new();
params.insert("response", &ctx.client_response);
params.insert("secret", &ctx.secret_key);
params.insert("remoteip", &ctx.remote_address);

let res = client
.post("https://challenges.cloudflare.com/turnstile/v0/siteverify")
.header("content-type", "application/x-www-form-urlencoded")
.body(format!(
"response={client_response}&secret={secret}&remoteip={remote_address}",
client_response = ctx.client_response,
secret = ctx.secret_key,
remote_address = ctx.remote_address,
))
.form(&params)
.send()
.await?
.json::<VerifyResponse>()
Expand Down

0 comments on commit 9b56efc

Please sign in to comment.