ID Validation (#196)

bgeesaman · web-flow · commit 5d791c39c590 · 2025-07-01T08:52:03.000-04:00
diff --git a/internal/handlers/agent.go b/internal/handlers/agent.go
@@ -21,7 +21,15 @@ func (h *Handler) GetSessions(c *fiber.Ctx) error {
 
 func (h *Handler) GetSession(c *fiber.Ctx) error {
 	session := models.AgentSession{}
-	res := h.db.First(&session, c.Params("id"))
+	id := c.Params("id")
+	if id == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "session id is required"})
+	}
+
+	if _, err := strconv.Atoi(id); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid session id"})
+	}
+	res := h.db.First(&session, id)
 	if res.Error != nil {
 		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": res.Error.Error()})
 	}
@@ -51,7 +59,15 @@ func (h *Handler) CreateSession(c *fiber.Ctx) error {
 
 func (h *Handler) DeleteSession(c *fiber.Ctx) error {
 	session := models.AgentSession{}
-	res := h.db.Delete(&session, c.Params("id"))
+	id := c.Params("id")
+	if id == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "session id is required"})
+	}
+
+	if _, err := strconv.Atoi(id); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid session id"})
+	}
+	res := h.db.Delete(&session, id)
 	if res.RowsAffected == 0 {
 		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "session not found"})
 	}
diff --git a/internal/handlers/domain.go b/internal/handlers/domain.go
@@ -26,7 +26,16 @@ func (h *Handler) GetDomains(c *fiber.Ctx) error {
 
 func (h *Handler) GetDomain(c *fiber.Ctx) error {
 	domain := models.Domain{}
-	res := h.db.First(&domain, c.Params("id"))
+	id := c.Params("id")
+	if id == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "domain id is required"})
+	}
+
+	if _, err := strconv.Atoi(id); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid domain id"})
+	}
+
+	res := h.db.First(&domain, id)
 	if res.Error != nil {
 		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": res.Error.Error()})
 	}
@@ -87,7 +96,16 @@ func (h *Handler) UpdateDomain(c *fiber.Ctx) error {
 
 func (h *Handler) DeleteDomain(c *fiber.Ctx) error {
 	domain := models.Domain{}
-	res := h.db.Delete(&domain, c.Params("id"))
+	id := c.Params("id")
+	if id == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "domain id is required"})
+	}
+
+	if _, err := strconv.Atoi(id); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid domain id"})
+	}
+
+	res := h.db.Delete(&domain, id)
 	if res.RowsAffected == 0 {
 		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "domain not found"})
 	}
diff --git a/internal/handlers/report.go b/internal/handlers/report.go
@@ -1,6 +1,8 @@
 package handlers
 
 import (
+	"strconv"
+
 	"github.com/gofiber/fiber/v2"
 
 	"github.com/ghostsecurity/reaper/internal/database/models"
@@ -16,7 +18,16 @@ func (h *Handler) GetReports(c *fiber.Ctx) error {
 
 func (h *Handler) GetReport(c *fiber.Ctx) error {
 	report := models.Report{}
-	err := h.db.First(&report, c.Params("id")).Error
+	id := c.Params("id")
+	if id == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "report id is required"})
+	}
+
+	if _, err := strconv.Atoi(id); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid report id"})
+	}
+
+	err := h.db.First(&report, id).Error
 	if err != nil {
 		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": err.Error()})
 	}
@@ -56,7 +67,16 @@ func (h *Handler) CreateReport(c *fiber.Ctx) error {
 
 func (h *Handler) DeleteReport(c *fiber.Ctx) error {
 	report := models.Report{}
-	res := h.db.Delete(&report, c.Params("id"))
+	id := c.Params("id")
+	if id == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "report id is required"})
+	}
+
+	if _, err := strconv.Atoi(id); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid report id"})
+	}
+
+	res := h.db.Delete(&report, id)
 	if res.RowsAffected == 0 {
 		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "report not found"})
 	}
