From 9b56efca740500711966d9599614046fea4bd867 Mon Sep 17 00:00:00 2001
From: MasterPtato <23087326+MasterPtato@users.noreply.github.com>
Date: Tue, 27 Aug 2024 18:49:22 +0000
Subject: [PATCH] fix(captcha): sanitize form body (#1098)

<!-- Please make sure there is an issue that this PR is correlated to. -->
Fixes RVTEE-566

**All unit tests pass**
## Changes

<!-- If there are frontend changes, please include screenshots. -->
---
 svc/pkg/captcha/ops/hcaptcha-verify/src/lib.rs  | 17 +++++++++--------
 svc/pkg/captcha/ops/turnstile-verify/src/lib.rs | 15 ++++++++-------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/svc/pkg/captcha/ops/hcaptcha-verify/src/lib.rs b/svc/pkg/captcha/ops/hcaptcha-verify/src/lib.rs
index 3515003436..947883f808 100644
--- a/svc/pkg/captcha/ops/hcaptcha-verify/src/lib.rs
+++ b/svc/pkg/captcha/ops/hcaptcha-verify/src/lib.rs
@@ -1,3 +1,5 @@
+use std::collections::HashMap;
+
 use proto::backend::pkg::*;
 use rivet_operation::prelude::*;
 
@@ -23,16 +25,15 @@ async fn handle(
 		util::env::read_secret(&["hcaptcha", "secret"]).await?
 	};
 
+	let mut params = HashMap::new();
+	params.insert("response", &ctx.client_response);
+	params.insert("secret", &secret_key);
+	params.insert("sitekey", &ctx.site_key);
+	params.insert("remoteip", &ctx.remote_address);
+
 	let res = client
 		.post("https://hcaptcha.com/siteverify")
-		.header("content-type", "application/x-www-form-urlencoded")
-		.body(format!(
-			"response={client_response}&secret={secret}&sitekey={site_key}&remoteip={remote_address}",
-			client_response = ctx.client_response,
-			secret = secret_key,
-			site_key = ctx.site_key,
-			remote_address = ctx.remote_address,
-		))
+		.form(&params)
 		.send()
 		.await?
 		.json::<VerifyResponse>()
diff --git a/svc/pkg/captcha/ops/turnstile-verify/src/lib.rs b/svc/pkg/captcha/ops/turnstile-verify/src/lib.rs
index 438503f505..9ddcb67ff8 100644
--- a/svc/pkg/captcha/ops/turnstile-verify/src/lib.rs
+++ b/svc/pkg/captcha/ops/turnstile-verify/src/lib.rs
@@ -1,3 +1,5 @@
+use std::collections::HashMap;
+
 use proto::backend::pkg::*;
 use rivet_operation::prelude::*;
 
@@ -17,15 +19,14 @@ async fn handle(
 ) -> GlobalResult<captcha::turnstile_verify::Response> {
 	let client = reqwest::Client::new();
 
+	let mut params = HashMap::new();
+	params.insert("response", &ctx.client_response);
+	params.insert("secret", &ctx.secret_key);
+	params.insert("remoteip", &ctx.remote_address);
+
 	let res = client
 		.post("https://challenges.cloudflare.com/turnstile/v0/siteverify")
-		.header("content-type", "application/x-www-form-urlencoded")
-		.body(format!(
-			"response={client_response}&secret={secret}&remoteip={remote_address}",
-			client_response = ctx.client_response,
-			secret = ctx.secret_key,
-			remote_address = ctx.remote_address,
-		))
+		.form(&params)
 		.send()
 		.await?
 		.json::<VerifyResponse>()