From fd88a4e374702e4d1b347b83253d3691e3071aae Mon Sep 17 00:00:00 2001
From: reidlab <reidlab325@gmail.com>
Date: Fri, 15 Sep 2023 22:27:07 -0700
Subject: [PATCH] https://nvd.nist.gov/vuln/detail/CVE-2023-34561

---
 readme.md                            |  6 ++----
 src/endpoints/levels/upload_level.rs |  5 +++++
 src/helpers/levels.rs                |  9 +++++++++
 src/template_endpoints/index.rs      | 13 ++++++++++++-
 4 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/readme.md b/readme.md
index 77851f7..3bd4777 100644
--- a/readme.md
+++ b/readme.md
@@ -40,9 +40,7 @@ _these features are implemented_
 - add more old endpoints + better support for older versions
 - add dailies, events, weekly
 - better way for checking if song is custom (currently `id > 50`)
-- sqlite would make sense for this
-- unscuff difficulties
 - moderation utilities
-- probably make more things bools in the database
 - ip actions
-- better song support
\ No newline at end of file
+- better song support
+- return "-1" instead of panicking for stuff
\ No newline at end of file
diff --git a/src/endpoints/levels/upload_level.rs b/src/endpoints/levels/upload_level.rs
index 798d41e..2ebdcba 100644
--- a/src/endpoints/levels/upload_level.rs
+++ b/src/endpoints/levels/upload_level.rs
@@ -107,6 +107,11 @@ pub fn upload_level(input: Form<FormUploadLevel>) -> status::Custom<&'static str
         return status::Custom(Status::Ok, "-1")
     }
 
+    // ACE vulnerability check
+    if let Some(_ace_object) = level_objects.iter().find(|obj| obj.item_block_id() < Some(0) || obj.item_block_id() > Some(1100)) {
+        return status::Custom(Status::Ok, "-1")
+    }
+
     // data base 🤣😁
     use crate::models::{Level, NewLevel};
 
diff --git a/src/helpers/levels.rs b/src/helpers/levels.rs
index a71833d..5cf3777 100644
--- a/src/helpers/levels.rs
+++ b/src/helpers/levels.rs
@@ -21,6 +21,14 @@ macro_rules! object_prop_bool {
     };
 }
 
+macro_rules! object_prop_int {
+    ($key:expr, $name:ident) => {
+        pub fn $name(&self) -> Option<i32> {
+            self.raw.get($key).and_then(|s| s.parse().ok())
+        }
+    };
+}
+
 #[derive(Clone)]
 pub struct ObjectData {
     raw: HashMap<String, String>
@@ -44,6 +52,7 @@ impl ObjectData {
     }
 
     object_prop_bool!("13", checked);
+    object_prop_int!("80", item_block_id);
 }
 
 pub enum PortalSpeed {
diff --git a/src/template_endpoints/index.rs b/src/template_endpoints/index.rs
index 029c427..16fbe81 100644
--- a/src/template_endpoints/index.rs
+++ b/src/template_endpoints/index.rs
@@ -6,7 +6,18 @@ use rand::Rng;
 pub fn index() -> Template {
     let silly_strings: Vec<&str> = vec![
         "the trianges consume",
-        "geomtry das"
+        "geomtry das",
+        "now with no RCE!",
+        "the best gdps",
+        "better than topala",
+        "better than robtop",
+        "slaughterhouse",
+        "deepwoken verse 3",
+        "skibidi toilet",
+        "kagepro",
+        "wowaka is peak music",
+        "you have been warned: dyno jun",
+        "listen to jin"
     ];
 
     let mut rng = rand::thread_rng();