validate send model parameters (#1067)

2025-04-05 21:18:13 -05:00 · 2020-12-30 16:25:00 -05:00 · 2020-12-30 16:25:00 -05:00 · d96da37e2a
commit d96da37e2a
parent 4825998ba5
2 changed files with 20 additions and 0 deletions
--- a/src/Api/Controllers/SendsController.cs
+++ b/src/Api/Controllers/SendsController.cs
@ -84,6 +84,7 @@ namespace Bit.Api.Controllers
        [HttpPost("")]
        public async Task<SendResponseModel> Post([FromBody] SendRequestModel model)
        {
+            model.ValidateCreation();
            var userId = _userService.GetProperUserId(User).Value;
            var send = model.ToSend(userId, _sendService);
            await _sendService.SaveSendAsync(send);
@ -108,6 +109,7 @@ namespace Bit.Api.Controllers
            Send send = null;
            await Request.GetSendFileAsync(async (stream, fileName, model) =>
            {
+                model.ValidateCreation();
                var userId = _userService.GetProperUserId(User).Value;
                var (madeSend, madeData) = model.ToSend(userId, fileName, _sendService);
                send = madeSend;
--- a/src/Core/Models/Api/Request/SendRequestModel.cs
+++ b/src/Core/Models/Api/Request/SendRequestModel.cs
@ -6,6 +6,7 @@ using Newtonsoft.Json;
 using Bit.Core.Models.Data;
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Services;
+using Bit.Core.Exceptions;

 namespace Bit.Core.Models.Api
 {
@ -22,6 +23,7 @@ namespace Bit.Core.Models.Api
        [EncryptedString]
        [EncryptedStringLength(1000)]
        public string Key { get; set; }
+        [Range(1, int.MaxValue)]
        public int? MaxAccessCount { get; set; }
        public DateTime? ExpirationDate { get; set; }
        [Required]
@ -77,6 +79,22 @@ namespace Bit.Core.Models.Api
            return existingSend;
        }

+        public void ValidateCreation()
+        {
+            // Add 1 minute for a sane buffer and client clock float
+            var nowPlus1Minute = DateTime.UtcNow.AddMinutes(1);
+            if (ExpirationDate.HasValue && ExpirationDate.Value <= nowPlus1Minute)
+            {
+                throw new BadRequestException("You cannot create a send that is already expired. " +
+                    "Adjust the expiration date and try again.");
+            }
+            if (DeletionDate.HasValue && DeletionDate.Value <= nowPlus1Minute)
+            {
+                throw new BadRequestException("You cannot create a send that is already deleted. " +
+                    "Adjust the deletion date and try again.");
+            }
+        }
+
        private Send ToSendBase(Send existingSend, ISendService sendService)
        {
            existingSend.Key = Key;