From 9cb32a843fbe1df9121525f3ec0b16b184b27d46 Mon Sep 17 00:00:00 2001
From: jomo <git@jomo.tv>
Date: Thu, 1 Feb 2024 22:19:02 +0100
Subject: [PATCH] strip dashes from uuids before handling them

---
 lib/helpers.js        | 4 ++--
 lib/routes/avatars.js | 6 +++---
 lib/routes/capes.js   | 5 ++---
 lib/routes/renders.js | 6 +++---
 lib/routes/skins.js   | 5 ++---
 test/test.js          | 8 ++++++--
 6 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/lib/helpers.js b/lib/helpers.js
index 775c6b8..161a577 100644
--- a/lib/helpers.js
+++ b/lib/helpers.js
@@ -7,8 +7,8 @@ var skins = require("./skins");
 var path = require("path");
 var fs = require("fs");
 
-// 0098cb60-fa8e-427c-b299-793cbd302c9a
-var valid_user_id = /^[0-9a-fA-F\-]{32,36}$/; // uuid
+// 0098cb60fa8e427cb299793cbd302c9a
+var valid_user_id = /^[0-9a-fA-F]{32}$/; // uuid
 var hash_pattern = /[0-9a-f]+$/;
 
 // gets the hash from the textures.minecraft.net +url+
diff --git a/lib/routes/avatars.js b/lib/routes/avatars.js
index 9daea9e..fe6ab70 100644
--- a/lib/routes/avatars.js
+++ b/lib/routes/avatars.js
@@ -67,6 +67,9 @@ module.exports = function(req, callback) {
     return;
   }
 
+  // strip dashes
+  userId = userId.replace(/-/g, "");
+
   // Prevent app from crashing/freezing
   if (size < config.avatars.min_size || size > config.avatars.max_size) {
     // "Unprocessable Entity", valid request, but semantically erroneous:
@@ -84,9 +87,6 @@ module.exports = function(req, callback) {
     return;
   }
 
-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
   try {
     helpers.get_avatar(req.id, userId, overlay, size, function(err, status, image, hash) {
       if (err) {
diff --git a/lib/routes/capes.js b/lib/routes/capes.js
index 1995c55..fe38ca9 100644
--- a/lib/routes/capes.js
+++ b/lib/routes/capes.js
@@ -17,6 +17,8 @@ module.exports = function(req, callback) {
     return;
   }
 
+  // strip dashes
+  userId = userId.replace(/-/g, "");
   if (!helpers.id_valid(userId)) {
     callback({
       status: -2,
@@ -25,9 +27,6 @@ module.exports = function(req, callback) {
     return;
   }
 
-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
   try {
     helpers.get_cape(rid, userId, function(err, hash, status, image) {
       if (err) {
diff --git a/lib/routes/renders.js b/lib/routes/renders.js
index 2f67de7..5a335fe 100644
--- a/lib/routes/renders.js
+++ b/lib/routes/renders.js
@@ -85,6 +85,9 @@ module.exports = function(req, callback) {
     return;
   }
 
+  // strip dashes
+  userId = userId.replace(/-/g, "");
+
   if (scale < config.renders.min_scale || scale > config.renders.max_scale) {
     callback({
       status: -2,
@@ -99,9 +102,6 @@ module.exports = function(req, callback) {
     return;
   }
 
-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
   try {
     helpers.get_render(rid, userId, scale, overlay, body, function(err, status, hash, image) {
       if (err) {
diff --git a/lib/routes/skins.js b/lib/routes/skins.js
index 56f8a92..6951f46 100644
--- a/lib/routes/skins.js
+++ b/lib/routes/skins.js
@@ -75,6 +75,8 @@ module.exports = function(req, callback) {
     return;
   }
 
+  // strip dashes
+  userId = userId.replace(/-/g, "");
   if (!helpers.id_valid(userId)) {
     callback({
       status: -2,
@@ -83,9 +85,6 @@ module.exports = function(req, callback) {
     return;
   }
 
-  // strip dashes
-  userId = userId.replace(/-/g, "");
-
   try {
     helpers.get_skin(rid, userId, function(err, hash, status, image, slim) {
       if (err) {
diff --git a/test/test.js b/test/test.js
index bd9ff9c..4e9c330 100644
--- a/test/test.js
+++ b/test/test.js
@@ -88,8 +88,8 @@ describe("Crafatar", function() {
       assert.strictEqual(helpers.id_valid("1DCEF164FF0A47F2B9A691385C774EE7"), true);
       done();
     });
-    it("dashed uuid is valid", function(done) {
-      assert.strictEqual(helpers.id_valid("0098cb60-fa8e-427c-b299-793cbd302c9a"), true);
+    it("dashed uuid is not valid", function(done) {
+      assert.strictEqual(helpers.id_valid("0098cb60-fa8e-427c-b299-793cbd302c9a"), false);
       done();
     });
     it("username is invalid", function(done) {
@@ -300,6 +300,10 @@ describe("Crafatar", function() {
         url: "http://localhost:3000/avatars/853c80ef3c3749fdaa49938b674adae6?size=16",
         crc32: [4264176600],
       },
+      "avatar with existing dashed uuid": {
+        url: "http://localhost:3000/avatars/853c80ef-3c37-49fd-aa49938b674adae6?size=16",
+        crc32: [4264176600],
+      },
       "avatar with non-existent uuid": {
         url: "http://localhost:3000/avatars/00000000000000000000000000000000?size=16",
         crc32: [3348154329],