Path traversal fix + validation

2 files changed, 5 insertions, 4 deletions

diff --git a/api/routes/getMrk/index.js b/api/routes/getMrk/index.js
index 6cc61b8..35a0a2d 100644
--- a/api/routes/getMrk/index.js
+++ b/api/routes/getMrk/index.js
@@ -46,7 +46,7 @@ function fetchFmrk(mrk, res){
 module.exports = (req, res) => {
     console.log(req.params)
     res.set('Content-Type', 'application/json');
-    if ( (req.params.mrk) && req.params.mrk.length === 128 ){
+    if ( (req.params.mrk) && typeof req.params.mrk === "string" && req.params.mrk.length === 128 ){
         regex= /[a-f0-9]{128}/;
         if (regex.test(req.params.mrk)){
             let mrk = req.params.mrk;
diff --git a/api/routes/getTr/index.js b/api/routes/getTr/index.js
index a7acb55..5701f52 100644
--- a/api/routes/getTr/index.js
+++ b/api/routes/getTr/index.js
@@ -46,13 +46,14 @@ function fetchFtr(tr, res){
 module.exports = (req, res) => {
     console.log(req.params)
     res.set('Content-Type', 'application/json');
-    if ( (req.params.tr) && req.params.tr.length === 128 ){
+    if ( (req.params.tr) && typeof req.params.tr === "string" && req.params.tr.length === 128 ){
         regex= /[a-f0-9]{128}/;
         if (regex.test(req.params.tr)){
-            if (req.params.tr === "QmbFMke1KXqnYyBBWxB74N4c5SBnJMVAiMNRcGu6x1AwQH" ){
+            let tr = req.params.tr;
+            if (tr === "QmbFMke1KXqnYyBBWxB74N4c5SBnJMVAiMNRcGu6x1AwQH" ){
                 res.send({error:"Genesis block"});
             } else {
-                fetchFtr(req.params.tr,res);
+                fetchFtr(tr,res);
             }
         } else {
             res.send({error:"Invalid data: regexp failed to pass"});