[fix] properly handle mutex poisoning everywhere

[chore] bump version (v0.9.0 -> v0.9.1) (SECURITY FIX)
This commit is contained in:
hkau 2024-02-25 21:37:25 -05:00
parent eb664a0586
commit d5f6a739f9
6 changed files with 67 additions and 17 deletions

View file

@ -3,7 +3,7 @@ name = "bundlrs"
authors = ["hkau"]
license = "MIT"
version = "0.9.0"
version = "0.9.1"
edition = "2021"
rust-version = "1.75"

View file

@ -67,7 +67,14 @@ pub async fn render_paste_ssm_request(
data: web::Data<Mutex<bundlesdb::AppData>>,
) -> impl Responder {
let custom_url: String = req.match_info().get("url").unwrap().to_string();
let res = data.lock().unwrap().db.get_paste_by_url(custom_url).await;
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let res = lock.db.get_paste_by_url(custom_url).await;
if !res.success {
return HttpResponse::NotFound()
@ -454,7 +461,14 @@ pub async fn exists_request(
data: web::Data<Mutex<bundlesdb::AppData>>,
) -> impl Responder {
let custom_url: String = req.match_info().get("url").unwrap().to_string();
let res = data.lock().unwrap().db.get_paste_by_url(custom_url).await;
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let res = lock.db.get_paste_by_url(custom_url).await;
// return
return HttpResponse::Ok()
@ -469,8 +483,15 @@ pub async fn get_from_url_request(
data: web::Data<Mutex<bundlesdb::AppData>>,
) -> impl Responder {
let custom_url: String = req.match_info().get("url").unwrap().to_string();
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let res: bundlesdb::DefaultReturn<Option<bundlesdb::Paste<String>>> =
data.lock().unwrap().db.get_paste_by_url(custom_url).await;
lock.db.get_paste_by_url(custom_url).await;
// if res.metadata contains '"private_source":"on"', return NotFound
if res.payload.is_some()
@ -516,8 +537,15 @@ pub async fn get_from_id_request(
data: web::Data<Mutex<bundlesdb::AppData>>,
) -> impl Responder {
let id: String = req.match_info().get("id").unwrap().to_string();
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let res: bundlesdb::DefaultReturn<Option<bundlesdb::Paste<String>>> =
data.lock().unwrap().db.get_paste_by_id(id).await;
lock.db.get_paste_by_id(id).await;
// if res.metadata contains '"private_source":"on"', return NotFound
if res.payload.is_some()
@ -563,8 +591,15 @@ pub async fn get_from_owner_request(
data: web::Data<Mutex<bundlesdb::AppData>>,
) -> impl Responder {
let username: String = req.match_info().get("username").unwrap().to_string();
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let res: bundlesdb::DefaultReturn<Option<Vec<bundlesdb::PasteIdentifier>>> =
data.lock().unwrap().db.get_pastes_by_owner(username).await;
lock.db.get_pastes_by_owner(username).await;
// return
return HttpResponse::Ok()

View file

@ -690,7 +690,7 @@ impl BundlesDB {
// return
return DefaultReturn {
success: true,
message: String::from("Paste exists"),
message: String::from("Paste exists (cache)"),
payload: Option::Some(Paste {
custom_url: paste.custom_url.to_string(),
id: paste.id.to_string(),
@ -752,7 +752,7 @@ impl BundlesDB {
// return
return DefaultReturn {
success: true,
message: String::from("Paste exists"),
message: String::from("Paste exists (new)"),
payload: Option::Some(paste),
};
}

View file

@ -346,8 +346,15 @@ You can create an account at: /d/auth/register",
// get paste
let id: String = req.match_info().get("id").unwrap().to_string();
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let paste: bundlesdb::DefaultReturn<Option<Paste<String>>> =
data.lock().unwrap().db.get_paste_by_id(id).await;
lock.db.get_paste_by_id(id).await;
if paste.success == false {
let renderer = ServerRenderer::<crate::pages::errors::_404Page>::new();

View file

@ -185,8 +185,14 @@ pub async fn profile_view_request(
let username: String = req.match_info().get("username").unwrap().to_string();
let username_c = username.clone();
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let user: bundlesdb::DefaultReturn<Option<UserState>> =
data.lock().unwrap().db.get_user_by_username(username).await;
lock.db.get_user_by_username(username).await;
if user.success == false {
let renderer = ServerRenderer::<crate::pages::errors::_404Page>::new();

View file

@ -215,9 +215,7 @@ pub async fn paste_view_request(
let token_user = if token_cookie.is_some() {
Option::Some(
data.lock()
.unwrap()
.db
lock.db
.get_user_by_hashed(token_cookie.as_ref().unwrap().value().to_string()) // if the user is returned, that means the ID is valid
.await,
)
@ -234,9 +232,7 @@ pub async fn paste_view_request(
// count view (this will check for an existing view!)
let payload = &token_user.as_ref().unwrap().payload;
if payload.as_ref().is_some() {
data.lock()
.unwrap()
.db
lock.db
.add_view_to_url(&url_c, &payload.as_ref().unwrap().username)
.await;
}
@ -319,8 +315,14 @@ pub async fn atomic_paste_view_request(
let url: String = req.match_info().get("url").unwrap().to_string();
let path: String = req.match_info().get("path").unwrap().to_string();
let mut lock = match data.lock() {
Ok(lock) => lock,
// the poisoned guard tells us that something panicked while handling a locked guard
Err(poisoned) => poisoned.into_inner(),
};
let paste: bundlesdb::DefaultReturn<Option<Paste<String>>> =
data.lock().unwrap().db.get_paste_by_url(url).await;
lock.db.get_paste_by_url(url).await;
if paste.success == false {
let renderer = ServerRenderer::<crate::pages::errors::_404Page>::new();