fix(api): disallow db and rssfeed recipient types in /api/notifier

JM-Lemmi · Sep 24, 2024 · 56f20b8 · 56f20b8
1 parent 3c480c6
commit 56f20b8
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,3 +1,7 @@
+# 2.0.0-beta.9.1
+
+- disallow db and rssfeed recipient types in /api/notifier/
+
 # 2.0.0-beta.9
 
 - ical-notifier binary hived off

diff --git a/cmd/ical-relay/api.go b/cmd/ical-relay/api.go
@@ -188,6 +188,14 @@ func NotifyRecipientApiHandler(w http.ResponseWriter, r *http.Request) {
 	// get URL parameters
 	rectype := r.URL.Query().Get("type")
 	recipient := r.URL.Query().Get("recipient")
+
+	if rectype != "mail" && rectype != "webhook" {
+		// denying access to other recipient types, like db and rss feed
+		w.WriteHeader(http.StatusForbidden)
+		fmt.Fprint(w, "Access denied\n")
+		return
+	}
+
 	if rectype == "mail" {
 		// check for valid email address on mail recipient type
 		if !helpers.ValidMail(recipient) {
@@ -211,6 +219,7 @@ func NotifyRecipientApiHandler(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(http.StatusOK)
 			fmt.Fprint(w, "Added "+rectype+" "+recipient+" to "+notifier+"\n")
 		}
+
 	case http.MethodDelete:
 		err := dataStore.RemoveNotifyRecipient(notifier, datastore.Recipient{Recipient: recipient, Type: rectype})
 		if err != nil {

diff --git a/documentation/swagger.yaml b/documentation/swagger.yaml
@@ -69,6 +69,8 @@ paths:
           description: successful operation
         '400':
           description: not a valid type or E-Mail address
+        '403':
+          description: disallowed recipient type
         '404':
           description: Notifier does not exist
         '500':