Disallow additional paths, closes #123

lib/routes/avatars.js

@@ -33,6 +33,15 @@ module.exports = function(req, callback) {
   var def = req.url.query.default;
   var helm = req.url.query.hasOwnProperty("helm");
 
+  // check for extra paths
+  if (req.url.path_list.length > 2) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   // Prevent app from crashing/freezing
   if (size < config.min_size || size > config.max_size) {
     // "Unprocessable Entity", valid request, but semantically erroneous:

lib/routes/capes.js

@@ -4,10 +4,19 @@ var cache = require("../cache");
 
 // GET cape request
 module.exports = function(req, callback) {
-  var userId = (req.url.pathname.split("/")[2] || "").split(".")[0];
+  var userId = (req.url.path_list[1] || "").split(".")[0];
   var def = req.url.query.default;
   var rid = req.id;
 
+  // check for extra paths
+  if (req.url.path_list.length > 2) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   if (!helpers.id_valid(userId)) {
     callback({
       status: -2,

lib/routes/renders.js

@@ -47,6 +47,15 @@ module.exports = function(req, callback) {
   var scale = parseInt(req.url.query.scale) || config.default_scale;
   var helm = req.url.query.hasOwnProperty("helm");
 
+  // check for extra paths
+  if (req.url.path_list.length > 3) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   // validate type
   if (raw_type !== "body" && raw_type !== "head") {
     callback({

lib/routes/skins.js

@@ -40,6 +40,15 @@ module.exports = function(req, callback) {
   var def = req.url.query.default;
   var rid = req.id;
 
+  // check for extra paths
+  if (req.url.path_list.length > 2) {
+    callback({
+      status: -2,
+      body: "Invalid URL Path"
+    });
+    return;
+  }
+
   if (!helpers.id_valid(userId)) {
     callback({
       status: -2,