From 5b921c9a983b3f2588c0e151c28b26e45cf95f87 Mon Sep 17 00:00:00 2001
From: ilotterytea <iltsu@alright.party>
Date: Mon, 13 May 2024 22:49:34 +0500
Subject: feat: check if the message has sql injection

---
 src/handlers.cpp     | 10 ++++++++++
 src/utils/string.cpp | 15 +++++++++++++++
 src/utils/string.hpp |  2 ++
 3 files changed, 27 insertions(+)

diff --git a/src/handlers.cpp b/src/handlers.cpp
index a7d768d..add59f0 100644
--- a/src/handlers.cpp
+++ b/src/handlers.cpp
@@ -1,6 +1,7 @@
 #include "handlers.hpp"
 
 #include <exception>
+#include <iostream>
 #include <optional>
 #include <pqxx/pqxx>
 #include <string>
@@ -12,6 +13,7 @@
 #include "commands/request_util.hpp"
 #include "irc/message.hpp"
 #include "localization/line_id.hpp"
+#include "utils/string.hpp"
 
 namespace bot::handlers {
   void handle_private_message(
@@ -19,6 +21,14 @@ namespace bot::handlers {
       const command::CommandLoader &command_loader,
       const irc::Message<irc::MessageType::Privmsg> &message,
       pqxx::connection &conn) {
+    if (utils::string::string_contains_sql_injection(message.message)) {
+      std::cout << "[TWITCH HANDLER] Attempted to process the message, but it "
+                   "seems to contain SQL "
+                   "injection symbols: "
+                << message.message << "\n";
+      return;
+    }
+
     std::optional<command::Request> request =
         command::generate_request(command_loader, message, conn);
 
diff --git a/src/utils/string.cpp b/src/utils/string.cpp
index 9727f3f..b8ba269 100644
--- a/src/utils/string.cpp
+++ b/src/utils/string.cpp
@@ -1,5 +1,6 @@
 #include "string.hpp"
 
+#include <algorithm>
 #include <iostream>
 #include <sstream>
 #include <string>
@@ -48,6 +49,20 @@ namespace bot {
 
         return str;
       }
+
+      bool string_contains_sql_injection(const std::string &input) {
+        std::string forbidden_strings[] = {";",   "--",     "'",      "\"",
+                                           "/*",  "*/",     "xp_",    "exec",
+                                           "sp_", "insert", "select", "delete"};
+
+        for (const auto &str : forbidden_strings) {
+          if (input.find(str) != std::string::npos) {
+            return true;
+          }
+        }
+
+        return false;
+      }
     }
   }
 }
diff --git a/src/utils/string.hpp b/src/utils/string.hpp
index 5c9a088..c8385ad 100644
--- a/src/utils/string.hpp
+++ b/src/utils/string.hpp
@@ -25,6 +25,8 @@ namespace bot {
         }
         return ss.str();
       }
+
+      bool string_contains_sql_injection(const std::string &input);
     }
   }
 }
-- 
cgit v1.2.3