From c8695ecb1cfd72c8f9e1fa51dbade9a588f127e5 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Tue, 17 Dec 2019 20:41:36 +0100
Subject: travel, import API: Verify that payload is a hash

---
 lib/Travelynx/Controller/Api.pm | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/lib/Travelynx/Controller/Api.pm b/lib/Travelynx/Controller/Api.pm
index 834317c..42e4774 100755
--- a/lib/Travelynx/Controller/Api.pm
+++ b/lib/Travelynx/Controller/Api.pm
@@ -169,14 +169,25 @@ sub get_v1 {
 sub travel_v1 {
 	my ($self) = @_;
 
-	my $payload   = $self->req->json;
+	my $payload = $self->req->json;
+
+	if ( not $payload or ref($payload) ne 'HASH' ) {
+		$self->render(
+			json => {
+				success => \0,
+				error   => 'Malformed JSON',
+			},
+		);
+		return;
+	}
+
 	my $api_token = $payload->{token} // '';
 
 	if ( $api_token !~ qr{ ^ (?<id> \d+ ) - (?<token> .* ) $ }x ) {
 		$self->render(
 			json => {
 				success => \0,
-				error   => 'Malformed JSON or malformed token',
+				error   => 'Malformed token',
 			},
 		);
 		return;
@@ -338,14 +349,25 @@ sub travel_v1 {
 sub import_v1 {
 	my ($self) = @_;
 
-	my $payload   = $self->req->json;
+	my $payload = $self->req->json;
+
+	if ( not $payload or ref($payload) ne 'HASH' ) {
+		$self->render(
+			json => {
+				success => \0,
+				error   => 'Malformed JSON',
+			},
+		);
+		return;
+	}
+
 	my $api_token = $payload->{token} // '';
 
 	if ( $api_token !~ qr{ ^ (?<id> \d+ ) - (?<token> .* ) $ }x ) {
 		$self->render(
 			json => {
 				success => \0,
-				error   => 'Malformed JSON or malformed token',
+				error   => 'Malformed token',
 			},
 		);
 		return;
-- 
cgit v1.2.3