From 71eae60c4dfb6d8826dd3f66e61a855d42f456d6 Mon Sep 17 00:00:00 2001
From: wgapi Cloud9 <c9@gitea.gf4>
Date: Fri, 22 Oct 2021 21:32:01 -0600
Subject: [PATCH] Validated user input

---
 app/add.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/add.js b/app/add.js
index 7bb27a8..bc5a6a1 100644
--- a/app/add.js
+++ b/app/add.js
@@ -21,10 +21,13 @@ let axios; (async()=>{
 const dns_key = `hmac-sha512:wgapi-${env.LOCAL_SERVER}:${env.DNS_KEY}`
 
 module.exports = async (req, res) => {
-	const new_hostname = req.query['name']
+	const new_hostname = req.query['name'].trim().toLowerCase()
 	if (!new_hostname) {
 		console.log(`New peer request from ${req.requester} didn't provide a hostname`)
 		return res.sendStatus(400)
+	} else if (!/^([\-\_a-z0-9]{1,20})$/.test(new_hostname)) {
+		console.log(`New peer request from ${req.requester} provided an invalid hostname: ${new_hostname}`)
+		return res.sendStatus(400)
 	} else console.log(`New peer request from ${req.requester} for ${new_hostname}`)
 	
 	// Get user from IP