From 9d616912e0f6277f1bf46f36b2be9344eb3e75f4 Mon Sep 17 00:00:00 2001
From: Markus Wiegand <mail@morphy2k.dev>
Date: Fri, 17 Jul 2020 18:19:40 +0200
Subject: [PATCH] add text query length check

---
 controller/item.go     | 12 ++++++++++++
 controller/location.go | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/controller/item.go b/controller/item.go
index a1c6c78..6968ba8 100644
--- a/controller/item.go
+++ b/controller/item.go
@@ -29,6 +29,12 @@ func ItemIndexGET(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 			return
 		}
 
+		if l := len(txt); l < 3 || l > 32 {
+			s := &Status{}
+			s.BadRequest("Query string has an invalid length").Render(w)
+			return
+		}
+
 		if !isAlnumBlankPunct(txt) {
 			s := &Status{}
 			s.BadRequest("Query string contains invalid characters").Render(w)
@@ -142,6 +148,12 @@ Loop:
 				return
 			}
 
+			if l := len(txt); l < 3 || l > 32 {
+				s := &Status{}
+				s.BadRequest("Query string has an invalid length").Render(w)
+				return
+			}
+
 			if !isAlnumBlankPunct(txt) {
 				s := &Status{}
 				s.BadRequest("Query string contains invalid characters").Render(w)
diff --git a/controller/location.go b/controller/location.go
index acf6109..c6384b2 100644
--- a/controller/location.go
+++ b/controller/location.go
@@ -50,6 +50,18 @@ Loop:
 				return
 			}
 
+			if l := len(txt); l < 3 || l > 32 {
+				s := &Status{}
+				s.BadRequest("Query string has an invalid length").Render(w)
+				return
+			}
+
+			if !isAlnumBlankPunct(txt) {
+				s := &Status{}
+				s.BadRequest("Query string contains invalid characters").Render(w)
+				return
+			}
+
 			result, err = location.GetByText(txt, opts)
 			if err != nil {
 				handleError(err, w)
@@ -204,6 +216,18 @@ Loop:
 				return
 			}
 
+			if l := len(txt); l < 3 || l > 32 {
+				s := &Status{}
+				s.BadRequest("Query string has an invalid length").Render(w)
+				return
+			}
+
+			if !isAlnumBlankPunct(txt) {
+				s := &Status{}
+				s.BadRequest("Query string contains invalid characters").Render(w)
+				return
+			}
+
 			result, err = feature.GetByText(txt, lID, opts)
 			if err != nil {
 				handleError(err, w)
@@ -423,6 +447,18 @@ Loop:
 				return
 			}
 
+			if l := len(txt); l < 3 || l > 32 {
+				s := &Status{}
+				s.BadRequest("Query string has an invalid length").Render(w)
+				return
+			}
+
+			if !isAlnumBlankPunct(txt) {
+				s := &Status{}
+				s.BadRequest("Query string contains invalid characters").Render(w)
+				return
+			}
+
 			result, err = featuregroup.GetByText(txt, lID, opts)
 			if err != nil {
 				handleError(err, w)