From 2ab089684a1bdbbb6f1f027399adb61d5e8f7291 Mon Sep 17 00:00:00 2001
From: Bryan Newbold <bnewbold@archive.org>
Date: Tue, 25 Aug 2020 18:34:02 -0700
Subject: filter out '_all' as a scroll id

---
 src/lib.rs | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/lib.rs b/src/lib.rs
index fc13e64..c5fe410 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -124,11 +124,24 @@ pub async fn filter_request(req: Request<Body>, config: &ProxyConfig) -> Result<
     Ok(upstream_req)
 }
 pub fn filter_scroll_request(_params: &UrlQueryParams, body: &[u8], _config: &ProxyConfig) -> Result<Body, ProxyError> {
-    // XXX
-    // TODO: check that scroll_id is not "_all"
     if body.len() > 0 {
         let parsed: parse::ScrollBody = serde_json::from_slice(body)
             .map_err(|e| ProxyError::ParseError(e.to_string()))?;
+        // check that scroll_id is not "_all" or too short
+        match &parsed.scroll_id {
+            parse::StringOrArray::String(single) => {
+                if single == "_all" || single.len() < 8 {
+                    return Err(ProxyError::NotSupported(format!("short scroll_id: {}", single)));
+                }
+            },
+            parse::StringOrArray::Array(array) => {
+                for single in array {
+                    if single == "_all" || single.len() < 8 {
+                        return Err(ProxyError::NotSupported(format!("short scroll_id: {}", single)));
+                    }
+                }
+            }
+        }
         Ok(Body::from(serde_json::to_string(&parsed).unwrap()))
     } else {
         Ok(Body::empty())
@@ -139,7 +152,6 @@ pub fn filter_read_request(index: &str, _endpoint: &str, _key: &str, _params: &U
     if !config.allow_index(index) {
         return Err(ProxyError::NotAllowed(format!("index doesn't exist or isn't proxied: {}", index)));
     }
-    // XXX: no body needed?
     Ok(Body::empty())
 }
 
-- 
cgit v1.2.3