add validation for inputs in webpage

Author: creeper123123321

src/main/kotlin/com/viaversion/aas/web/WebLogin.kt

@@ -66,13 +66,20 @@ class WebLogin : WebState {
         }
     }
 
+    private fun validateUsername(name: String) {
+        if (name.length > 16) throw StacklessException("Username is too long")
+    }
+
     private suspend fun handleOfflineLogin(webClient: WebClient, msg: String, obj: JsonObject) {
         if (!sha512Hex(msg.encodeToByteArray()).startsWith("00000")) throw StacklessException("PoW failed")
         if (abs(obj["date"].asLong - System.currentTimeMillis()) > Duration.ofSeconds(20).toMillis()) {
             throw StacklessException("Invalid PoW date")
         }
-        if (obj["challenge"].asString != webClient.challenge) throw StacklessException("Invalid challenge")
+        if (obj["challenge"].asString != webClient.challenge) {
+            throw StacklessException("Invalid challenge")
+        }
         val username = obj["username"].asString
+        validateUsername(username)
         val uuid = generateOfflinePlayerUuid(username)
 
         val token = webClient.server.generateToken(uuid, username)
@@ -83,6 +90,7 @@ class WebLogin : WebState {
 
     private suspend fun handleTempCodeLogin(webClient: WebClient, obj: JsonObject) {
         val username = obj["username"].asString
+        validateUsername(username)
         val code = obj["code"].asString
 
         val check = webClient.server.checkTempCode(username, code)
@@ -137,31 +145,48 @@ class WebLogin : WebState {
         webClient.server.completeSessionHashCallback(hash)
     }
 
+    private fun parseVersion(versionString: String): ProtocolVersion {
+        if (versionString.length > 20) throw IllegalArgumentException("Version is too long")
+        return Ints.tryParse(versionString)?.let { ProtocolVersion.getProtocol(it) }
+            ?: ProtocolVersion.getClosest(versionString) ?: AUTO
+    }
+
+    private fun parseHostAndPort(host: String, port: Int): HostAndPort {
+        if (host.length > 255) {
+            throw IllegalArgumentException("Host too long")
+        }
+        return HostAndPort.fromParts(host, port)
+    }
+
     private fun handleParametersResponse(webClient: WebClient, obj: JsonObject) {
         val callback = UUID.fromString(obj["callback"].asString)
+        val backName = obj["backName"]?.asString
+        if (backName != null) validateUsername(backName)
+
         webClient.server.completeAddressCallback(
             callback, AddressInfo(
-                backVersion = obj["version"].asString.let {
-                    Ints.tryParse(it)?.let { ProtocolVersion.getProtocol(it) }
-                        ?: ProtocolVersion.getClosest(it) ?: AUTO
-                },
-                backHostAndPort = HostAndPort.fromParts(obj["host"].asString, obj["port"].asInt),
+                backVersion = parseVersion(obj["version"].asString),
+                backHostAndPort = parseHostAndPort(obj["host"].asString, obj["port"].asInt),
                 frontOnline = obj["frontOnline"].asString.toBooleanStrictOrNull(),
-                backName = obj["backName"]?.asString
+                backName = backName
             )
         )
     }
 
-    private suspend fun handleSaveAccessToken(webClient: WebClient, obj: JsonObject) {
-        val accessToken = obj["mc_access_token"].asString
-        val decodedToken = JWT.decode(accessToken)
+    private fun verifyTokenTime(notBefore: Instant, expiration: Instant) {
         val now = Instant.now()
-        if (now > decodedToken.expiresAtAsInstant) {
+        if (now > expiration) {
             throw IllegalArgumentException("mc access token has expired")
         }
-        if (now < decodedToken.notBeforeAsInstant) {
+        if (now < notBefore) {
             throw IllegalArgumentException("mc access token notBefore is in the future")
         }
+    }
+
+    private suspend fun handleSaveAccessToken(webClient: WebClient, obj: JsonObject) {
+        val accessToken = obj["mc_access_token"].asString
+        val decodedToken = JWT.decode(accessToken)
+        verifyTokenTime(decodedToken.notBeforeAsInstant, decodedToken.expiresAtAsInstant)
         val expectedId = UUID.fromString(decodedToken.getClaim("profiles").asMap()["mc"].toString())
 
         val profile = AspirinServer.httpClient.get("https://api.minecraftservices.com/minecraft/profile") {

src/main/resources/web/index.html

@@ -105,13 +105,13 @@
             <form class="input-group mb-3 row g-3 justify-content-md-center" id="address_info_form">
                 <div class="col-md-3">
                     <input id="connect_address" type="text" class="form-control" placeholder="Address:Port"
-                           aria-label="Address and Port">
+                           aria-label="Address and Port" required maxlength="200">
                 </div>
                 <div class="col-md-2">
                     <div class="input-group">
                         <span class="input-group-text"><abbr title="Version">v</abbr></span>
                         <input id="connect_version" type="text" class="form-control col-auto" placeholder="Version"
-                               aria-label="Version" list="backend_version_list">
+                               aria-label="Version" list="backend_version_list" maxlength="20">
                     </div>
                     <datalist id="backend_version_list">
                         <option>AUTO</option>
@@ -189,7 +189,7 @@
                     <div class="input-group">
                         <span class="input-group-text">.</span>
                         <input id="instance_suffix" type="text" class="form-control"
-                               placeholder="Instance Suffix" aria-label="Instance Suffix" disabled readonly>
+                               placeholder="Instance Suffix" aria-label="Instance Suffix" disabled readonly required maxlength="64">
                     </div>
                 </div>
             </form>
@@ -347,7 +347,7 @@ <h5 class="modal-title" id="listenModalLabel">Listen to logins</h5>
                     <p>The instance will send auth requests and address parameters to this page.</p>
                     <div class="mb-3">
                         <label for="listen_username" class="form-label">Username</label>
-                        <input type="text" class="form-control" id="listen_username">
+                        <input type="text" class="form-control" id="listen_username" required maxlength="16">
                     </div>
                     <div class="mb-3 form-check">
                         <input type="checkbox" class="form-check-input" id="listen_online" checked>
@@ -356,18 +356,18 @@ <h5 class="modal-title" id="listenModalLabel">Listen to logins</h5>
                     <div class="mb-3" id="listen_code_div">
                         <label for="listen_code" class="form-label">Temp Code</label>
                         <p>Join <span id="link_address" class="font-monospace"></span> in game to get the temporary code</p>
-                        <input type="text" class="form-control" id="listen_code">
+                        <input type="text" class="form-control" id="listen_code" maxlength="7">
                     </div>
                 </div>
                 <div class="modal-footer">
-                    <button type="submit" class="btn btn-primary" data-bs-dismiss="modal">Listen</button>
+                    <button type="submit" class="btn btn-primary">Listen</button>
                 </div>
             </div>
         </form>
     </div>
 </div>
 
-<div aria-hidden="true" aria-labelledby="listenModalLabel" class="modal fade" id="sendTokenModal" tabindex="-1">
+<div aria-hidden="true" aria-labelledby="sendTokenModalLabel" class="modal fade" id="sendTokenModal" tabindex="-1">
     <div class="modal-dialog modal-dialog-scrollable">
         <form id="form_send_token">
             <div class="modal-content">
@@ -381,13 +381,13 @@ <h5 class="modal-title" id="sendTokenModalLabel">Save Access Token in Instance</
                     <p>You'll need to connect as online-mode in the front-end.</p>
                     <div class="input-group mb-3">
                         <label class="input-group-text" for="send_token_user">Account</label>
-                        <select class="form-select" id="send_token_user">
-                            <option selected>Choose...</option>
+                        <select class="form-select" id="send_token_user" required>
+                            <option value="" selected>Choose...</option>
                         </select>
                     </div>
                 </div>
                 <div class="modal-footer">
-                    <button type="submit" class="btn btn-primary" data-bs-dismiss="modal">Send</button>
+                    <button type="submit" class="btn btn-primary">Send</button>
                 </div>
             </div>
         </form>

src/main/resources/web/js/page.js

@@ -6,6 +6,7 @@ let accounts = document.getElementById("accounts-list");
 let cors_proxy_txt = document.getElementById("cors-proxy");
 let ws_url_txt = document.getElementById("ws-url");
 let instance_suffix_input = document.getElementById("instance_suffix");
+let addressInfoForm = document.getElementById("address_info_form");
 let listenVisible = false;
 let deltaTime = 0;
 let challenge = "";
@@ -109,8 +110,10 @@ function copyGeneratedAddress() {
     navigator.clipboard.writeText($("#generated_address").text()).catch(e => console.log(e));
 }
 function generateAddress() {
-    let backAddress = $("#connect_address").val();
     try {
+        if (!addressInfoForm.checkValidity())
+            throw Error("invalid input");
+        let backAddress = $("#connect_address").val();
         let url = new URL("https://" + backAddress);
         let finalAddress = "";
         let host = url.hostname;
@@ -142,6 +145,7 @@ function submittedListen() {
     let user = $("#listen_username").val().trim();
     if (!user)
         return;
+    bootstrap.Modal.getInstance("#listenModal").hide();
     if ($("#listen_online")[0].checked) {
         sendSocket(JSON.stringify({
             action: "temp_code_login",
@@ -162,6 +166,7 @@ function submittedListen() {
     }
 }
 function submittedSendToken() {
+    bootstrap.Modal.getInstance("#sendTokenModal").hide();
     let account = findAccountByMcName($("#send_token_user").val());
     if (!account)
         return;

src/main/typescript/web/js/page.ts

@@ -2,13 +2,14 @@
 // Note that some APIs only work on HTTPS
 
 // Page
-let connectionStatus = document.getElementById("connection_status")!!;
-let corsStatus = document.getElementById("cors_status")!!;
-let listening = document.getElementById("listening")!!;
-let accounts = document.getElementById("accounts-list")!!;
+let connectionStatus = document.getElementById("connection_status")!;
+let corsStatus = document.getElementById("cors_status")!;
+let listening = document.getElementById("listening")!;
+let accounts = document.getElementById("accounts-list")!;
 let cors_proxy_txt = document.getElementById("cors-proxy") as HTMLInputElement;
 let ws_url_txt = document.getElementById("ws-url") as HTMLInputElement;
 let instance_suffix_input = document.getElementById("instance_suffix") as HTMLInputElement;
+let addressInfoForm = document.getElementById("address_info_form") as HTMLFormElement
 let listenVisible = false;
 // + deltaTime means that the clock is ahead
 let deltaTime = 0;
@@ -127,8 +128,9 @@ function copyGeneratedAddress() {
 }
 
 function generateAddress() {
-    let backAddress = $("#connect_address").val();
     try {
+        if (!addressInfoForm.checkValidity()) throw Error("invalid input")
+        let backAddress = $("#connect_address").val();
         let url = new URL("https://" + backAddress);
         let finalAddress = "";
         let host = url.hostname;
@@ -155,6 +157,7 @@ function generateAddress() {
 function submittedListen() {
     let user = ($("#listen_username").val() as string).trim();
     if (!user) return;
+    bootstrap.Modal.getInstance("#listenModal")!.hide()
     if (($("#listen_online")[0] as HTMLInputElement).checked) {
         sendSocket(JSON.stringify({
             action: "temp_code_login",
@@ -176,6 +179,7 @@ function submittedListen() {
 }
 
 function submittedSendToken() {
+    bootstrap.Modal.getInstance("#sendTokenModal")!.hide()
     let account = findAccountByMcName($("#send_token_user").val() as string)
     if (!account) return;
     account.acquireActiveToken()
@@ -802,7 +806,7 @@ function listenStoredTokens() {
 
 function onWsConnect(e: Event) {
     let msg = "connected";
-    let socketHost = new URL(socket!!.url).host;
+    let socketHost = new URL(socket!.url).host;
     if (socketHost != location.host) msg += ` to ${socketHost}`;
     setWsStatus(msg);
     resetHtml();