Update src/db.rs

Add comprehensive validation for rating parameters. Consider adding validation for all rating parameters to ensure data consistency: Validate min_rating and max_rating range Ensure min_rating <= last_rating <= max_rating Validate total_rating against total_reviews Add public_key format validation Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
MostroP2P · Dec 23, 2024 · 420487a · 420487a
1 parent 1784a20
commit 420487a
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/src/db.rs b/src/db.rs
@@ -384,13 +384,26 @@ pub async fn update_user_rating(
     total_reviews: i64,
     total_rating: i64,
 ) -> anyhow::Result<User> {
+    // Validate public key format (32-bytes hex)
+    if !public_key.chars().all(|c| c.is_ascii_hexdigit()) || public_key.len() != 64 {
+        return Err(anyhow::anyhow!("Invalid public key format"));
+    }
     // Validate rating values
-    if !(0..5).contains(&last_rating) {
+    if !(0..=5).contains(&last_rating) {
         return Err(anyhow::anyhow!("Invalid rating value"));
     }
+    if !(0..=5).contains(&min_rating) || !(0..=5).contains(&max_rating) {
+        return Err(anyhow::anyhow!("Invalid min/max rating values"));
+    }
+    if min_rating > last_rating || last_rating > max_rating {
+        return Err(anyhow::anyhow!("Rating values must satisfy: min_rating <= last_rating <= max_rating"));
+    }
     if total_reviews < 0 {
         return Err(anyhow::anyhow!("Invalid total reviews"));
     }
+    if total_rating < 0 || total_rating > total_reviews * 5 {
+        return Err(anyhow::anyhow!("Invalid total rating"));
+    }
     if let Ok(user) = sqlx::query_as::<_, User>(
         r#"
             UPDATE users SET last_rating = ?1, min_rating = ?2, max_rating = ?3, total_reviews = ?4, total_rating = ?5 WHERE pubkey = ?6