From 802d5a33bd77b3d177d3873c225daf2edc5286da Mon Sep 17 00:00:00 2001
From: Sam Anthony <sam@samanthony.xyz>
Date: Fri, 29 Nov 2024 14:00:43 -0500
Subject: server: input validation

---
 server/duty.go     | 11 ++++++++++-
 server/humidity.go | 11 ++++++++++-
 server/target.go   |  2 +-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/server/duty.go b/server/duty.go
index 82bf60f..55022f3 100644
--- a/server/duty.go
+++ b/server/duty.go
@@ -8,6 +8,11 @@ import (
 	"strconv"
 )
 
+const (
+	minDutyCycle = 0.0
+	maxDutyCycle = 100.0
+)
+
 type DutyCycle float32
 
 type DutyCycleHandler struct {
@@ -24,10 +29,14 @@ func (h DutyCycleHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	dc, err := strconv.ParseFloat(r.URL.RawQuery, 32)
-	if err != nil {
+	if err != nil || !isValidDutyCycle(dc) {
 		badRequest(w, "invalid duty cycle: '%s'", r.URL.RawQuery)
 		return
 	}
 
 	h.dc.Set <- DutyCycle(dc)
 }
+
+func isValidDutyCycle(dc float64) bool {
+	return dc >= minDutyCycle && dc <= maxDutyCycle
+}
diff --git a/server/humidity.go b/server/humidity.go
index 8cffccc..e31f4fb 100644
--- a/server/humidity.go
+++ b/server/humidity.go
@@ -8,6 +8,11 @@ import (
 	"strconv"
 )
 
+const (
+	minHumidity = 0.0
+	maxHumidity = 100.0
+)
+
 type Humidity float32
 
 type HumidityHandler struct {
@@ -46,7 +51,7 @@ func (h HumidityHandler) post(w http.ResponseWriter, r *http.Request) {
 	humidityStr := queryVals["humidity"]
 
 	humidity, err := strconv.ParseFloat(humidityStr, 32)
-	if err != nil {
+	if err != nil || !isValidHumidity(humidity){
 		badRequest(w, "invalid humidity: '%s'", humidityStr)
 		return
 	}
@@ -79,3 +84,7 @@ func parseQuery(query string, keys []string) (map[string]string, error) {
 	}
 	return vals, nil
 }
+
+func isValidHumidity(humidity float64) bool {
+	return humidity >= minHumidity && humidity <= maxHumidity;
+}
diff --git a/server/target.go b/server/target.go
index 2d7ca80..c79d75e 100644
--- a/server/target.go
+++ b/server/target.go
@@ -31,7 +31,7 @@ func (h TargetHumidityHandler) get(w http.ResponseWriter, r *http.Request) {
 
 func (h TargetHumidityHandler) post(w http.ResponseWriter, r *http.Request) {
 	target, err := strconv.ParseFloat(r.URL.RawQuery, 32)
-	if err != nil {
+	if err != nil || !isValidHumidity(target) {
 		badRequest(w, "invalid humidity: '%s'", r.URL.RawQuery)
 		return
 	}
-- 
cgit v1.2.3