From 46015de19d30f87b9e5ea3287f0c474243eaf1c5 Mon Sep 17 00:00:00 2001
From: Florian Dieminger <me@fiji-flo.de>
Date: Wed, 5 Jul 2023 13:03:27 +0200
Subject: [PATCH] fix(play): don't panic on to short id (#273)

---
 src/api/error.rs  |  2 ++
 src/api/play.rs   |  3 +++
 tests/api/play.rs | 15 +++++++++++++++
 3 files changed, 20 insertions(+)

diff --git a/src/api/error.rs b/src/api/error.rs
index b3cc153c..43bd4ab9 100644
--- a/src/api/error.rs
+++ b/src/api/error.rs
@@ -55,6 +55,8 @@ pub enum PlaygroundError {
     CryptError(#[from] aes_gcm::Error),
     #[error("Crypt decoding error: {0}")]
     DecodeError(#[from] base64::DecodeError),
+    #[error("No nonce error")]
+    NoNonceError,
     #[error("Crypt utf error: {0}")]
     UtfDecodeError(#[from] FromUtf8Error),
     #[error("Playground error: no settings")]
diff --git a/src/api/play.rs b/src/api/play.rs
index 35274ac3..0e3411a4 100644
--- a/src/api/play.rs
+++ b/src/api/play.rs
@@ -75,6 +75,9 @@ fn encrypt(gist_id: &str) -> Result<String, PlaygroundError> {
 fn decrypt(encoded: &str) -> Result<String, PlaygroundError> {
     if let Some(cipher) = &*CIPHER {
         let data = STANDARD.decode(encoded)?;
+        if NONCE_LEN > data.len() {
+            return Err(PlaygroundError::NoNonceError);
+        }
         let (enc, nonce) = data.split_at(data.len() - NONCE_LEN);
         let nonce = Nonce::from_slice(nonce);
         let data = cipher.decrypt(nonce, enc)?;
diff --git a/tests/api/play.rs b/tests/api/play.rs
index 029f0d8e..86e955d3 100644
--- a/tests/api/play.rs
+++ b/tests/api/play.rs
@@ -2,6 +2,7 @@ use crate::helpers::app::test_app_with_login;
 use crate::helpers::db::reset;
 use crate::helpers::http_client::TestHttpClient;
 use crate::helpers::{read_json, wait_for_stubr};
+use actix_http::StatusCode;
 use actix_web::test;
 use anyhow::Error;
 use assert_json_diff::assert_json_eq;
@@ -63,3 +64,17 @@ async fn test_playground() -> Result<(), Error> {
     assert_eq!(playground.deleted_user_id, Some(user_id));
     Ok(())
 }
+
+#[actix_rt::test]
+#[stubr::mock(port = 4321)]
+async fn test_invalid_id() -> Result<(), Error> {
+    let pool = reset()?;
+    wait_for_stubr().await?;
+    let app = test_app_with_login(&pool).await?;
+    let service = test::init_service(app).await;
+    let mut client = TestHttpClient::new(service).await;
+    let res = client.get("/api/v1/play/sssieddidxsx", None).await;
+    // This used to panic, now it should just 500
+    assert_eq!(res.status(), StatusCode::INTERNAL_SERVER_ERROR);
+    Ok(())
+}