Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
critical bug with SQL injection fixed!
  • Loading branch information
Your Name committed Nov 23, 2019
1 parent 55bb5b3 commit a3eb3c6
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 34 deletions.
65 changes: 35 additions & 30 deletions server/modules/api/v1.js
Expand Up @@ -168,7 +168,7 @@ exports.onGetOrderbook = function(req, res)
});
}

exports.onGetMarketSummary = function(req, res)
exports.onGetMarketSummary = async function(req, res)
{
const dataParsed = url.parse(req.url);
if (!dataParsed || !dataParsed.query)
Expand All @@ -190,28 +190,28 @@ exports.onGetMarketSummary = function(req, res)

const MarketName = queryStr.market;

g_constants.dbTables['coins'].selectAll('name, ticker, info, icon', 'ticker="'+data[1]+'"', '', (err, rows) => {
if (err || !rows)
return onError(req, res, err && err.message ? err.message : 'unknown database error');
try
{
//g_constants.dbTables['coins'].selectAll('name, ticker, info, icon', 'ticker="'+data[1]+'"', '', (err, rows) => {
// if (err || !rows)
// return onError(req, res, err && err.message ? err.message : 'unknown database error');

if (!rows.length)
return onError(req, res, 'ticker '+data[1]+' not found');
//if (!rows.length)
// return onError(req, res, 'ticker '+data[1]+' not found');

const COIN = rows[0];
const coin_icon_src = rows[0].icon;
const coin_info = JSON.parse(utils.Decrypt(rows[0].info));
//const COIN = rows[0];
const COIN = await utils.GetCoinFromTicker(data[1]);
const coin_icon_src = COIN.icon;
const coin_info = JSON.parse(utils.Decrypt(COIN.info));

const WHERE = 'coin="'+COIN.name+'" AND time*1 > ('+Date.now()+'*1 - '+period+'*3600*1000)';

const METHOD = 'onGetMarketSummary_'+WHERE;

let ret = GetCache(METHOD);
if (ret)
{
onSuccess(req, res, ret);
return;
}

return onSuccess(req, res, ret);

g_constants.dbTables['history'].selectAll('max((fromBuyerToSeller*1)/fromSellerToBuyer) AS Height, min((fromBuyerToSeller*1)/fromSellerToBuyer) AS Low, sum(fromSellerToBuyer*1) AS Volume', WHERE, 'GROUP BY coin', (err, rows) => {
if (err || !rows)
{
Expand Down Expand Up @@ -254,7 +254,12 @@ exports.onGetMarketSummary = function(req, res)

});

});
}
catch (e)
{
return onError(req, res, e.message || 'unknown error');
}
//});
}

exports.onGetMarketHistory = function(req, res)
Expand Down Expand Up @@ -310,7 +315,7 @@ exports.onGetMarketHistory = function(req, res)
});
}

function SubmitOrder(req, res, buysell)
async function SubmitOrder(req, res, buysell)
{
try
{
Expand All @@ -323,7 +328,7 @@ function SubmitOrder(req, res, buysell)
const currency = queryStr.market.split('-');
if (!currency.length || currency.length != 2) throw new Error('Bad request. Parameter currency is invalid.');

utils.GetCoinFromTicker(currency[1], coin => {
const coin = await utils.GetCoinFromTicker(currency[1]); //, coin => {
if (!coin || !coin.name)
return onError(req, res, 'Coin ticker not found');

Expand Down Expand Up @@ -352,7 +357,7 @@ function SubmitOrder(req, res, buysell)
return onError(req, res, e.message);
}
})
});
//});
}
catch(e) {
return onError(req, res, e.message);
Expand Down Expand Up @@ -417,7 +422,7 @@ exports.onMarketCancel = function(req, res)
}
}

exports.onMarketGetOpenOrders = function(req, res)
exports.onMarketGetOpenOrders = async function(req, res)
{
try
{
Expand All @@ -430,7 +435,7 @@ exports.onMarketGetOpenOrders = function(req, res)
const currency = queryStr.market.split('-');
if (!currency.length || currency.length != 2) throw new Error('Bad request. Parameter currency is invalid.');

utils.GetCoinFromTicker(currency[1], coin => {
const coin = await utils.GetCoinFromTicker(currency[1]); //, coin => {
if (!coin || !coin.name)
return onError(req, res, 'Coin ticker not found');

Expand Down Expand Up @@ -468,14 +473,14 @@ exports.onMarketGetOpenOrders = function(req, res)
return onError(req, res, e.message);
}
})
});
//});
}
catch(e) {
return onError(req, res, e.message);
}
}

exports.onAccountGetBalance = function(req, res)
exports.onAccountGetBalance = async function(req, res)
{
try
{
Expand All @@ -485,7 +490,7 @@ exports.onAccountGetBalance = function(req, res)
const queryStr = querystring.parse(dataParsed.query);
if (!queryStr.apikey || !queryStr.nonce || !queryStr.currency) throw new Error('Bad request. Required parameter (apikey or nonce or currency) not found.');

utils.GetCoinFromTicker(queryStr.currency, coin => {
const coin = await utils.GetCoinFromTicker(queryStr.currency);//, coin => {
if (!coin || !coin.name)
return onError(req, res, 'Coin ticker not found');

Expand Down Expand Up @@ -516,7 +521,7 @@ exports.onAccountGetBalance = function(req, res)
return onError(req, res, e.message);
}
})
});
//});
}
catch(e) {
return onError(req, res, e.message);
Expand Down Expand Up @@ -599,7 +604,7 @@ exports.onEditAPIkey = function(req, res)
}
}

exports.onAccountGetDepositAddress = function(req, res)
exports.onAccountGetDepositAddress = async function(req, res)
{
const dataParsed = url.parse(req.url);
if (!dataParsed || !dataParsed.query || !req.headers['apisign'])
Expand All @@ -609,7 +614,7 @@ exports.onAccountGetDepositAddress = function(req, res)
if (!queryStr.apikey || !queryStr.nonce || !queryStr.currency)
return onError(req, res, 'Bad request. Required parameter (apikey or nonce or currency) not found.');

utils.GetCoinFromTicker(queryStr.currency, coin => {
const coin = utils.GetCoinFromTicker(queryStr.currency); //, coin => {
if (!coin || !coin.name)
return onError(req, res, 'Coin ticker not found');

Expand All @@ -632,7 +637,7 @@ exports.onAccountGetDepositAddress = function(req, res)
return onError(req, res, e.message);
}
})
});
//});
}

exports.onAccountGetOrder = function(req, res)
Expand Down Expand Up @@ -745,7 +750,7 @@ exports.onRedeemCoupon = function(req, res)
}


exports.onAccountWithdraw = function(req, res)
exports.onAccountWithdraw = async function(req, res)
{
const dataParsed = url.parse(req.url);
if (!dataParsed || !dataParsed.query || !req.headers['apisign'])
Expand All @@ -761,7 +766,7 @@ exports.onAccountWithdraw = function(req, res)
if (queryStr.quantity < 0.00001)
return onError(req, res, 'Bad request. quantity < 0.00001 (is too low)');

utils.GetCoinFromTicker(queryStr.currency, coin => {
const coin = await utils.GetCoinFromTicker(queryStr.currency); //, coin => {
if (!coin || !coin.name)
return onError(req, res, 'Coin ticker not found');

Expand Down Expand Up @@ -814,7 +819,7 @@ exports.onAccountWithdraw = function(req, res)
});
}
}, req);
});
//});
}

function CheckAPIkey(strKey, strSign, strQuery, callback, req)
Expand Down
14 changes: 10 additions & 4 deletions server/utils.js
Expand Up @@ -648,8 +648,14 @@ exports.CheckCoin = function(coin, callback)

exports.GetCoinFromTicker = function(ticker, callback)
{
g_constants.dbTables['coins'].selectAll('ROWID AS id, *', 'ticker="'+escape(ticker)+'"', '', (err, rows) => {
if (err || !rows || !rows.length) return callback({});
callback(rows[0]);
})
return new Promise(async (ok, cancel) => {
try {
const rows = await g_constants.dbTables['coins'].Select('ROWID AS id, *', 'ticker="'+escape(ticker)+'"', '');
if (!rows || !rows.length || !rows[0].name) throw new Error('Coin ticker ('+escape(ticker)+') not found!');
return ok(rows[0]);
}
catch(e) {
return cancel(e);
}
});
}

0 comments on commit a3eb3c6

Please sign in to comment.