🔒️Fix security issue

rrrobo · rrrobo · commit a10d53811098 · 2022-10-10T13:14:18.000+09:00
diff --git a/routes/api/lineMaps.js b/routes/api/lineMaps.js
@@ -48,8 +48,10 @@ module.exports.getLineMaps = getLineMaps;
 
 adminRouter.post('/', function (req, res) {
   const map = req.body;
-
-  // logger.debug(map)
+  if (typeof(map) != "object") {
+    res.status(400).send("Bad request");
+    return;
+  }
 
   const tiles = [];
   for (const i in map.tiles) {
diff --git a/routes/api/mazeMaps.js b/routes/api/mazeMaps.js
@@ -45,8 +45,10 @@ module.exports.getMazeMaps = getMazeMaps;
 
 adminRouter.post('/', function (req, res) {
   const map = req.body;
-
-  // logger.debug(map)
+  if (typeof(map) != "object") {
+    res.status(400).send("Bad request");
+    return;
+  }
 
   const cells = [];
   for (const i in map.cells) {
diff --git a/routes/api/teams.js b/routes/api/teams.js
@@ -15,6 +15,7 @@ const { ACCESSLEVELS } = require('../../models/user');
 const logger = require('../../config/logger').mainLogger;
 const competitiondb = require('../../models/competition');
 const auth = require('../../helper/authLevels');
+const { type } = require('os');
 
 const { LEAGUES_JSON } = competitiondb;
 
@@ -358,6 +359,10 @@ adminRouter.post('/', function (req, res) {
 
 adminRouter.post('/bulk', function (req, res) {
   const teams = req.body;
+  if (typeof(teams) != "object") {
+    res.status(400).send("Bad request");
+    return;
+  }
 
   competitiondb.competition
     .findOne({
