From c415da756b0d57b8da3166f24ac7591171e6edd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Km=C3=ADnek?= <m@kminet.eu>
Date: Fri, 6 Sep 2024 22:31:10 +0200
Subject: [PATCH] feat: Sanitize invalid datetimes

---
 app/module/event/manager/EventManager.php | 24 +++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/app/module/event/manager/EventManager.php b/app/module/event/manager/EventManager.php
index cfdfb464..c5998c31 100644
--- a/app/module/event/manager/EventManager.php
+++ b/app/module/event/manager/EventManager.php
@@ -302,12 +302,24 @@ protected function allowCreate(?array &$data = null): void
         if (!isset($data["endTime"])) {
             $data["endTime"] = $data["startTime"];
         }
-        if (!isset($data["closeTime"])) {
+
+        try {
+            $closeTimeDT = new DateTime($data["closeTime"]);
+        } catch (Exception $exc) {
+            $this->respondBadRequest($this->translator->translate("event.close") . ": " . $this->translator->translate("common.errors.valueInvalid"));
+        }
+
+        try {
+            $startTimeDT = new DateTime($data["startTime"]);
+        } catch (Exception $exc) {
+            $this->respondBadRequest($this->translator->translate("event.start") . ": " . $this->translator->translate("common.errors.valueInvalid"));
         }
 
-        $closeTimeDT = new DateTime($data["closeTime"]);
-        $startTimeDT = new DateTime($data["startTime"]);
-        $endTimeDT = new DateTime($data["endTime"]);
+        try {
+            $endTimeDT = new DateTime($data["endTime"]);
+        } catch (Exception $exc) {
+            $this->respondBadRequest($this->translator->translate("event.end") . ": " . $this->translator->translate("common.errors.valueInvalid"));
+        }
 
         if ($closeTimeDT > $startTimeDT) {
             $this->respondBadRequest($this->translator->translate("event.errors.closeAfterStart"));
@@ -346,6 +358,10 @@ protected function allowRead(?int $recordId = null): void
         if ($recordId) {
             $this->event = $this->getById($recordId);
 
+            if (!$this->event) {
+                $this->respondNotFound(Event::MODULE, $recordId);
+            }
+
             if (!$this->canRead($this->event, $this->user->getId())) {
                 $this->responder->E4001_VIEW_NOT_PERMITTED(Event::MODULE, $recordId);
             }