From 4ab4748b9f242bab6cbe54e248ad808d292c2a48 Mon Sep 17 00:00:00 2001 From: Fran Rogers Date: Fri, 29 Jan 2021 22:55:26 -0500 Subject: [PATCH 1/2] Validate inputs for ?ae7q and ?qrz commands --- exts/ae7q.py | 42 ++++++++++++++++++++++++++++++++++++++++++ exts/qrz.py | 9 +++++++++ 2 files changed, 51 insertions(+) diff --git a/exts/ae7q.py b/exts/ae7q.py index b11aeeb..eacad7e 100644 --- a/exts/ae7q.py +++ b/exts/ae7q.py @@ -16,6 +16,8 @@ the GNU General Public License, version 2. # KC4USA: reserved, no call history, *but* has application history +import re + import aiohttp from bs4 import BeautifulSoup @@ -44,6 +46,14 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/CallHistory.php?CALL=" embed = cmn.embed_factory(ctx) + if not re.match('[A-Z0-9]+$', callsign): + embed = cmn.embed_factory(ctx) + embed.title = "AE7Q History for Callsign" + embed.colour = cmn.colours.bad + embed.description = "Not a valid callsign!" + await ctx.send(embed=embed) + return + async with self.session.get(base_url + callsign) as resp: if resp.status != 200: raise cmn.BotHTTPError(resp) @@ -110,6 +120,14 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/CallHistory.php?CALL=" embed = cmn.embed_factory(ctx) + if not re.match('[A-Z0-9]+$', callsign): + embed = cmn.embed_factory(ctx) + embed.title = "AE7Q Trustee History for Callsign" + embed.colour = cmn.colours.bad + embed.description = "Not a valid callsign!" + await ctx.send(embed=embed) + return + async with self.session.get(base_url + callsign) as resp: if resp.status != 200: raise cmn.BotHTTPError(resp) @@ -178,6 +196,14 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/CallHistory.php?CALL=" embed = cmn.embed_factory(ctx) + if not re.match('[A-Z0-9]+$', callsign): + embed = cmn.embed_factory(ctx) + embed.title = "AE7Q Application History for Callsign" + embed.colour = cmn.colours.bad + embed.description = "Not a valid callsign!" + await ctx.send(embed=embed) + return + async with self.session.get(base_url + callsign) as resp: if resp.status != 200: raise cmn.BotHTTPError(resp) @@ -250,6 +276,14 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/FrnHistory.php?FRN=" embed = cmn.embed_factory(ctx) + if not re.match('[0-9]+$', frn): + embed = cmn.embed_factory(ctx) + embed.title = "AE7Q History for FRN" + embed.colour = cmn.colours.bad + embed.description = "Not a valid FRN!" + await ctx.send(embed=embed) + return + async with self.session.get(base_url + frn) as resp: if resp.status != 200: raise cmn.BotHTTPError(resp) @@ -313,6 +347,14 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/LicenseeIdHistory.php?ID=" embed = cmn.embed_factory(ctx) + if not re.match('[A-Z][0-9]+$', licensee_id, re.IGNORECASE): + embed = cmn.embed_factory(ctx) + embed.title = "AE7Q History for Licensee" + embed.colour = cmn.colours.bad + embed.description = "Not a valid licensee ID!" + await ctx.send(embed=embed) + return + async with self.session.get(base_url + licensee_id) as resp: if resp.status != 200: raise cmn.BotHTTPError(resp) diff --git a/exts/qrz.py b/exts/qrz.py index 0e79e4b..776e0fa 100644 --- a/exts/qrz.py +++ b/exts/qrz.py @@ -9,6 +9,7 @@ the GNU General Public License, version 2. from io import BytesIO +import re import aiohttp from lxml import etree @@ -31,6 +32,14 @@ class QRZCog(commands.Cog): """Looks up a callsign on [QRZ.com](https://www.qrz.com/). Add `--link` to only link the QRZ page.""" flags = [f.lower() for f in flags] + if not re.match('[A-Z0-9]+$', callsign, re.IGNORECASE): + embed = cmn.embed_factory(ctx) + embed.title = "QRZ Data for Callsign" + embed.colour = cmn.colours.bad + embed.description = "Not a valid callsign!" + await ctx.send(embed=embed) + return + if keys.qrz_user == "" or keys.qrz_pass == "" or "--link" in flags: await ctx.send(f"http://qrz.com/db/{callsign}") return From 483a0bad195e3379f54d1f0b8d6e747194eefe78 Mon Sep 17 00:00:00 2001 From: Fran Rogers Date: Fri, 29 Jan 2021 23:43:30 -0500 Subject: [PATCH 2/2] Use str.isalnum and str.isdecimal instead of re.match for ?ae7q and ?qrz input validation --- exts/ae7q.py | 12 +++++------- exts/qrz.py | 3 +-- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/exts/ae7q.py b/exts/ae7q.py index eacad7e..8cf76c7 100644 --- a/exts/ae7q.py +++ b/exts/ae7q.py @@ -16,8 +16,6 @@ the GNU General Public License, version 2. # KC4USA: reserved, no call history, *but* has application history -import re - import aiohttp from bs4 import BeautifulSoup @@ -46,7 +44,7 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/CallHistory.php?CALL=" embed = cmn.embed_factory(ctx) - if not re.match('[A-Z0-9]+$', callsign): + if not callsign.isalnum(): embed = cmn.embed_factory(ctx) embed.title = "AE7Q History for Callsign" embed.colour = cmn.colours.bad @@ -120,7 +118,7 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/CallHistory.php?CALL=" embed = cmn.embed_factory(ctx) - if not re.match('[A-Z0-9]+$', callsign): + if not callsign.isalnum(): embed = cmn.embed_factory(ctx) embed.title = "AE7Q Trustee History for Callsign" embed.colour = cmn.colours.bad @@ -196,7 +194,7 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/CallHistory.php?CALL=" embed = cmn.embed_factory(ctx) - if not re.match('[A-Z0-9]+$', callsign): + if not callsign.isalnum(): embed = cmn.embed_factory(ctx) embed.title = "AE7Q Application History for Callsign" embed.colour = cmn.colours.bad @@ -276,7 +274,7 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/FrnHistory.php?FRN=" embed = cmn.embed_factory(ctx) - if not re.match('[0-9]+$', frn): + if not frn.isdecimal(): embed = cmn.embed_factory(ctx) embed.title = "AE7Q History for FRN" embed.colour = cmn.colours.bad @@ -347,7 +345,7 @@ class AE7QCog(commands.Cog): base_url = "http://ae7q.com/query/data/LicenseeIdHistory.php?ID=" embed = cmn.embed_factory(ctx) - if not re.match('[A-Z][0-9]+$', licensee_id, re.IGNORECASE): + if not licensee_id.isalnum(): embed = cmn.embed_factory(ctx) embed.title = "AE7Q History for Licensee" embed.colour = cmn.colours.bad diff --git a/exts/qrz.py b/exts/qrz.py index 776e0fa..169635e 100644 --- a/exts/qrz.py +++ b/exts/qrz.py @@ -9,7 +9,6 @@ the GNU General Public License, version 2. from io import BytesIO -import re import aiohttp from lxml import etree @@ -32,7 +31,7 @@ class QRZCog(commands.Cog): """Looks up a callsign on [QRZ.com](https://www.qrz.com/). Add `--link` to only link the QRZ page.""" flags = [f.lower() for f in flags] - if not re.match('[A-Z0-9]+$', callsign, re.IGNORECASE): + if not callsign.isalnum(): embed = cmn.embed_factory(ctx) embed.title = "QRZ Data for Callsign" embed.colour = cmn.colours.bad