From b4f980b34959dd3bd1ea96dbae83a212936b5c2f Mon Sep 17 00:00:00 2001 From: CalDescent Date: Thu, 12 Aug 2021 19:52:49 +0100 Subject: [PATCH] Restrict lists API endpoints to local/apiKey requests only. --- .../java/org/qortal/api/resource/ListsResource.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/main/java/org/qortal/api/resource/ListsResource.java b/src/main/java/org/qortal/api/resource/ListsResource.java index b6387b6d..dea6690c 100644 --- a/src/main/java/org/qortal/api/resource/ListsResource.java +++ b/src/main/java/org/qortal/api/resource/ListsResource.java @@ -43,6 +43,8 @@ public class ListsResource { ) @ApiErrors({ApiError.INVALID_ADDRESS, ApiError.ADDRESS_UNKNOWN, ApiError.REPOSITORY_ISSUE}) public String addAddressToBlacklist(@PathParam("address") String address) { + Security.checkApiCallAllowed(request); + if (!Crypto.isValidAddress(address)) throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_ADDRESS); @@ -85,6 +87,8 @@ public class ListsResource { ) @ApiErrors({ApiError.INVALID_ADDRESS, ApiError.ADDRESS_UNKNOWN, ApiError.REPOSITORY_ISSUE}) public String addAddressesToBlacklist(AddressListRequest addressListRequest) { + Security.checkApiCallAllowed(request); + if (addressListRequest == null || addressListRequest.addresses == null) { throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_CRITERIA); } @@ -147,6 +151,8 @@ public class ListsResource { ) @ApiErrors({ApiError.INVALID_ADDRESS, ApiError.ADDRESS_UNKNOWN, ApiError.REPOSITORY_ISSUE}) public String removeAddressFromBlacklist(@PathParam("address") String address) { + Security.checkApiCallAllowed(request); + if (!Crypto.isValidAddress(address)) throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_ADDRESS); @@ -189,6 +195,8 @@ public class ListsResource { ) @ApiErrors({ApiError.INVALID_ADDRESS, ApiError.ADDRESS_UNKNOWN, ApiError.REPOSITORY_ISSUE}) public String removeAddressesFromBlacklist(AddressListRequest addressListRequest) { + Security.checkApiCallAllowed(request); + if (addressListRequest == null || addressListRequest.addresses == null) { throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_CRITERIA); } @@ -250,6 +258,7 @@ public class ListsResource { } ) public String getAddressBlacklist() { + Security.checkApiCallAllowed(request); return ResourceListManager.getInstance().getBlacklistJSONString(); } @@ -266,6 +275,8 @@ public class ListsResource { ) @ApiErrors({ApiError.INVALID_ADDRESS, ApiError.ADDRESS_UNKNOWN, ApiError.REPOSITORY_ISSUE}) public String checkAddressInBlacklist(@PathParam("address") String address) { + Security.checkApiCallAllowed(request); + if (!Crypto.isValidAddress(address)) throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.INVALID_ADDRESS);