security: consider entities before vanities to avoid hijacking

InfinityBotList · Feb 5, 2024 · 6f1c8f8 · 6f1c8f8
1 parent 600544c
commit 6f1c8f8
Showing 1 changed file with 25 additions and 25 deletions.
diff --git a/routes/vanity/assets/resolve.go b/routes/vanity/assets/resolve.go
@@ -37,45 +37,45 @@ func resolveImpl(ctx context.Context, code string, src string) (*types.Vanity, e
 }
 
 func ResolveVanity(ctx context.Context, code string) (*types.Vanity, error) {
-	var v *types.Vanity
-	var err error
-	for _, src := range []string{"code", "target_id"} {
-		v, err = resolveImpl(ctx, code, src)
+	// First check bot_id and client_id to avoid vanity stealing
+	var botId string
 
-		if err != nil {
-			return nil, err
-		}
+	err := state.Pool.QueryRow(ctx, "SELECT bot_id FROM bots WHERE client_id = $1", code).Scan(&botId)
 
-		if v == nil {
-			continue
-		}
-
-		break
+	if err != nil && !errors.Is(err, pgx.ErrNoRows) {
+		return nil, err
 	}
 
-	// If all fails, try checking client_id of bots
-	if v == nil {
-		var count int64
+	if botId != "" {
+		return resolveImpl(ctx, botId, "target_id")
+	}
 
-		err = state.Pool.QueryRow(ctx, "SELECT COUNT(*) FROM bots WHERE client_id = $1", code).Scan(&count)
+	// Then check server id
+	var serverId string
 
-		if err != nil {
-			return nil, err
-		}
+	err = state.Pool.QueryRow(ctx, "SELECT server_id FROM servers WHERE server_id = $1", code).Scan(&serverId)
 
-		if count == 0 {
-			return nil, nil
-		}
+	if err != nil && !errors.Is(err, pgx.ErrNoRows) {
+		return nil, err
+	}
 
-		var botId string
+	if serverId != "" {
+		return resolveImpl(ctx, serverId, "target_id")
+	}
 
-		err = state.Pool.QueryRow(ctx, "SELECT bot_id FROM bots WHERE client_id = $1", code).Scan(&botId)
+	var v *types.Vanity
+	for _, src := range []string{"code", "target_id"} {
+		v, err = resolveImpl(ctx, code, src)
 
 		if err != nil {
 			return nil, err
 		}
 
-		return resolveImpl(ctx, botId, "target_id")
+		if v == nil {
+			continue
+		}
+
+		break
 	}
 
 	return v, nil