From c600f41e5af96d7f762e370e0b5f96536d401ae3 Mon Sep 17 00:00:00 2001
From: ze0s <43699394+zze0s@users.noreply.github.com>
Date: Mon, 26 Feb 2024 18:06:00 +0100
Subject: [PATCH] feat(indexers): sanitize user input (#1420)

---
 internal/indexer/service.go | 15 +++++++++++++++
 pkg/sanitize/sanitize.go    |  8 ++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 pkg/sanitize/sanitize.go

diff --git a/internal/indexer/service.go b/internal/indexer/service.go
index 1faa752..2c043f5 100644
--- a/internal/indexer/service.go
+++ b/internal/indexer/service.go
@@ -17,6 +17,7 @@ import (
 	"github.com/autobrr/autobrr/internal/logger"
 	"github.com/autobrr/autobrr/internal/scheduler"
 	"github.com/autobrr/autobrr/pkg/errors"
+	"github.com/autobrr/autobrr/pkg/sanitize"
 
 	"github.com/gosimple/slug"
 	"github.com/rs/zerolog"
@@ -78,6 +79,13 @@ func NewService(log logger.Logger, config *domain.Config, repo domain.IndexerRep
 }
 
 func (s *service) Store(ctx context.Context, indexer domain.Indexer) (*domain.Indexer, error) {
+	// sanitize user input
+	indexer.Name = sanitize.String(indexer.Name)
+
+	for key, val := range indexer.Settings {
+		indexer.Settings[key] = sanitize.String(val)
+	}
+
 	// if indexer is rss or torznab do additional cleanup for identifier
 	if isImplFeed(indexer.Implementation) {
 		// make lowercase
@@ -103,6 +111,13 @@ func (s *service) Store(ctx context.Context, indexer domain.Indexer) (*domain.In
 }
 
 func (s *service) Update(ctx context.Context, indexer domain.Indexer) (*domain.Indexer, error) {
+	// sanitize user input
+	indexer.Name = sanitize.String(indexer.Name)
+
+	for key, val := range indexer.Settings {
+		indexer.Settings[key] = sanitize.String(val)
+	}
+
 	i, err := s.repo.Update(ctx, indexer)
 	if err != nil {
 		s.log.Error().Err(err).Msgf("could not update indexer: %+v", indexer)
diff --git a/pkg/sanitize/sanitize.go b/pkg/sanitize/sanitize.go
new file mode 100644
index 0000000..bdf5556
--- /dev/null
+++ b/pkg/sanitize/sanitize.go
@@ -0,0 +1,8 @@
+package sanitize
+
+import "strings"
+
+func String(str string) string {
+	str = strings.TrimSpace(str)
+	return str
+}