From d8146636ea0cb3b325b9b7d14806e249c45e37b9 Mon Sep 17 00:00:00 2001
From: nogoodidea <bryce@jauquet.com>
Date: Mon, 26 Feb 2024 19:15:27 -0500
Subject: [PATCH] added input valadation

---
 proxstar/__init__.py         |  9 ++++++++-
 proxstar/static/js/script.js | 11 ++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/proxstar/__init__.py b/proxstar/__init__.py
index f5a03b5..c72f0f5 100644
--- a/proxstar/__init__.py
+++ b/proxstar/__init__.py
@@ -412,6 +412,8 @@ def vm_renew(vmid):
 @app.route('/vm/<string:vmid>/disk/create/<int:size>', methods=['POST'])
 @auth.oidc_auth
 def create_disk(vmid, size):
+    if(size =< 0):## are they trying to disk with zero size
+            return '', 400
     user = User(session['userinfo']['preferred_username'])
     connect_proxmox()
     if user.rtp or int(vmid) in user.allowed_vms:
@@ -589,8 +591,13 @@ def create():
             name = request.form['name'].lower()
             cores = request.form['cores']
             memory = request.form['mem']
-            template = request.form['template']
             disk = request.form['disk']
+            ## CHECK STUFF DEAR GOD
+            if(int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0){
+                return 'VM creation with cores and/or mem and/or disk values that are less than 0' 400
+            }
+
+            template = request.form['template']
             iso = request.form['iso']
             ssh_key = request.form['ssh_key']
             if iso != 'none':
diff --git a/proxstar/static/js/script.js b/proxstar/static/js/script.js
index 6f61324..2e1708b 100644
--- a/proxstar/static/js/script.js
+++ b/proxstar/static/js/script.js
@@ -238,12 +238,21 @@ $("#create-vm").click(function(){
         if (name && disk) {
             if (template != 'none' && !ssh_regex.test(ssh_key)) {
                 swal("Uh oh...", "Invalid SSH key!", "error");
+            // MAXIMUM BOUNDS CHECK
             } else if (disk > max_disk) {
                 swal("Uh oh...", `You do not have enough disk resources available! Please lower the VM disk size to ${max_disk}GB or lower.`, "error");
             } else if (template != 'none' && cores > max_cpu) {
                 swal("Uh oh...", `You do not have enough CPU resources available! Please lower the VM cores to ${max_cpu} or lower.`, "error");
             } else if (template != 'none' && mem/1024 > max_mem) {
                 swal("Uh oh...", `You do not have enough memory resources available! Please lower the VM memory to ${max_mem}GB or lower.`, "error");
+            // MINIMUM BOUNDS CHECK
+            else if(0 <= disk){
+              swal("Uh oh...", `Selected disk size is less than 0.`,"error");
+            }else if(0 <= cores){
+              swal("Uh oh...", `Selected cores amount is less than 0.`,"error");
+            }else if(0 <= mem){
+              swal("Uh oh...", `Selected memory size is less than 0.`,"error");
+            }
             } else {
                 fetch(`/hostname/${name}`, {
                     credentials: 'same-origin',
@@ -1155,4 +1164,4 @@ $(".delete-disk").click(function(){
     const vmid = $(this).data('vmid')
     const disk = $(this).data('disk')
     confirmDialog(`/vm/${vmid}/disk/${disk}/delete`, `Are you sure you want to delete ${disk}?`, "Delete", `Deleting ${disk}!`, `Unable to delete disk. Please try again later.`, `/vm/${vmid}`, true)
-});
\ No newline at end of file
+});