From a5c8a060d700e98e8a516f91a77b3ecb0b314be6 Mon Sep 17 00:00:00 2001
From: Mentor Palokaj <mentor@palokaj.co>
Date: Mon, 22 Nov 2021 10:51:46 +0100
Subject: [PATCH] API abuse protection

---
 README.md                    | 2 +-
 functions/modules/mainnet.js | 6 +++++-
 functions/modules/testnet.js | 6 +++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 44ca300..c792ea8 100644
--- a/README.md
+++ b/README.md
@@ -24,4 +24,4 @@ The Rocketeer viewer hosted at [viewer.rocketeer.fans]( https://viewer.rocketeer
 
 ### Oracle code
 
-The metadata and image oracle generates the Rocketeer data when one is minted. The code is inside the `functions` folder.
\ No newline at end of file
+The metadata and image oracle generates the Rocketeer data when one is minted. The code is inside the `functions` folder.
diff --git a/functions/modules/mainnet.js b/functions/modules/mainnet.js
index 7d8d189..e94d10d 100644
--- a/functions/modules/mainnet.js
+++ b/functions/modules/mainnet.js
@@ -10,9 +10,13 @@ const { setAvatar, resetAvatar } = require( '../integrations/avatar' )
 app.get( '/api/rocketeer/:id', async ( req, res ) => {
 
     // Parse the request
-    const { id } = req.params
+    let { id } = req.params
     if( !id ) return res.json( { error: `No ID specified in URL` } )
 
+    // Protect against malformed input
+    id = Math.floor( Math.abs( id ) )
+    if( typeof id !== 'number' ) return res.json( { error: `Malformed request` } )
+
     try {
 
         // Get old rocketeer if it exists
diff --git a/functions/modules/testnet.js b/functions/modules/testnet.js
index 07e1f5a..51e1e91 100644
--- a/functions/modules/testnet.js
+++ b/functions/modules/testnet.js
@@ -8,9 +8,13 @@ const { safelyReturnRocketeer, web2domain } = require( './rocketeer' )
 app.get( '/testnetapi/rocketeer/:id', async ( req, res ) => {
 
     // Parse the request
-    const { id } = req.params
+    let { id } = req.params
     if( !id ) return res.json( { error: `No ID specified in URL` } )
 
+    // Protect against malformed input
+    id = Math.floor( Math.abs( id ) )
+    if( typeof id !== 'number' ) return res.json( { error: `Malformed request` } )
+
     try {
 
         // Get old rocketeer if it exists