From d96da37e2aacd1b5524e694d743db65efad7f399 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kspearrin@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:25:00 -0500
Subject: [PATCH] validate send model parameters (#1067)

---
 src/Api/Controllers/SendsController.cs         |  2 ++
 .../Models/Api/Request/SendRequestModel.cs     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/Api/Controllers/SendsController.cs b/src/Api/Controllers/SendsController.cs
index 5a188bffd8..6b3751d676 100644
--- a/src/Api/Controllers/SendsController.cs
+++ b/src/Api/Controllers/SendsController.cs
@@ -84,6 +84,7 @@ namespace Bit.Api.Controllers
         [HttpPost("")]
         public async Task<SendResponseModel> Post([FromBody] SendRequestModel model)
         {
+            model.ValidateCreation();
             var userId = _userService.GetProperUserId(User).Value;
             var send = model.ToSend(userId, _sendService);
             await _sendService.SaveSendAsync(send);
@@ -108,6 +109,7 @@ namespace Bit.Api.Controllers
             Send send = null;
             await Request.GetSendFileAsync(async (stream, fileName, model) =>
             {
+                model.ValidateCreation();
                 var userId = _userService.GetProperUserId(User).Value;
                 var (madeSend, madeData) = model.ToSend(userId, fileName, _sendService);
                 send = madeSend;
diff --git a/src/Core/Models/Api/Request/SendRequestModel.cs b/src/Core/Models/Api/Request/SendRequestModel.cs
index c23ec3d5f1..ae6638c6a1 100644
--- a/src/Core/Models/Api/Request/SendRequestModel.cs
+++ b/src/Core/Models/Api/Request/SendRequestModel.cs
@@ -6,6 +6,7 @@ using Newtonsoft.Json;
 using Bit.Core.Models.Data;
 using System.ComponentModel.DataAnnotations;
 using Bit.Core.Services;
+using Bit.Core.Exceptions;
 
 namespace Bit.Core.Models.Api
 {
@@ -22,6 +23,7 @@ namespace Bit.Core.Models.Api
         [EncryptedString]
         [EncryptedStringLength(1000)]
         public string Key { get; set; }
+        [Range(1, int.MaxValue)]
         public int? MaxAccessCount { get; set; }
         public DateTime? ExpirationDate { get; set; }
         [Required]
@@ -77,6 +79,22 @@ namespace Bit.Core.Models.Api
             return existingSend;
         }
 
+        public void ValidateCreation()
+        {
+            // Add 1 minute for a sane buffer and client clock float
+            var nowPlus1Minute = DateTime.UtcNow.AddMinutes(1);
+            if (ExpirationDate.HasValue && ExpirationDate.Value <= nowPlus1Minute)
+            {
+                throw new BadRequestException("You cannot create a send that is already expired. " +
+                    "Adjust the expiration date and try again.");
+            }
+            if (DeletionDate.HasValue && DeletionDate.Value <= nowPlus1Minute)
+            {
+                throw new BadRequestException("You cannot create a send that is already deleted. " +
+                    "Adjust the deletion date and try again.");
+            }
+        }
+
         private Send ToSendBase(Send existingSend, ISendService sendService)
         {
             existingSend.Key = Key;