Fix list services: SQL injection, auth, bugs, style, docs

Security:
- Add Db::escape_string() to all SQL-interpolated list_id values
- Add ownership verification (user_id check) to add_caches,
  get_caches, remove_caches, and update endpoints
- Add oc.de gate to add_caches, get_caches, remove_caches

Bug fixes:
- Fix double JSON encoding in query (pass array, not json_encode)
- Fix password truncation in create/update: truncate before escaping
  to avoid corrupting escape sequences
- Fix deletion order in delete: remove child records (items, watches)
  before parent (cache_lists) to avoid FK constraint issues
- Fix NULL password handling in update: generate 'password = NULL'
  instead of 'password = ''' when clearing password

Style:
- Rename all camelCase variables to snake_case
- Remove unused imports (LogsCommon, OkapiServiceRunner, etc.)
- Restore save_user_coords in OkapiServiceRunner (kept per PR #628)

Documentation:
- Fix typo ::service/lists/query -> ::services/lists/query
- Fix "removed to the list" -> "removed from the list"
- Fix "sucessfully" -> "successfully"

Author: baiti

okapi/services/lists/add_caches/WebService.php

@@ -3,10 +3,11 @@
 namespace okapi\services\lists\add_caches;
 
 use okapi\core\Db;
+use okapi\core\Exception\BadRequest;
+use okapi\core\Exception\InvalidParam;
 use okapi\core\Okapi;
 use okapi\core\Request\OkapiRequest;
 use okapi\Settings;
-use okapi\core\Exception\InvalidParam;
 
 class WebService
 {
@@ -19,49 +20,58 @@ public static function options()
 
     public static function call(OkapiRequest $request)
     {
-        $result = array(
-            'success' => false
-        );
+        if (Settings::get('OC_BRANCH') != 'oc.de')
+            throw new BadRequest('This method is not supported in this OKAPI installation.');
 
         $user_id = $request->token->user_id;
 
-        $listId     = $request->get_parameter('list_id');
-        $cacheCodes = $request->get_parameter('cache_codes');
+        $list_id     = $request->get_parameter('list_id');
+        $cache_codes = $request->get_parameter('cache_codes');
 
-        if (empty($listId)) {
+        if (empty($list_id)) {
             throw new InvalidParam('list_id', 'list_id is mandatory and must not be empty.');
         }
 
-        if (empty($cacheCodes)) {
+        if (empty($cache_codes)) {
             throw new InvalidParam('cache_codes', 'cache_codes is mandatory and must not be empty.');
         }
 
-        $cacheCodesArray = array_unique(explode('|', $cacheCodes));
+        // Verify list ownership
+        $count = Db::select_value("
+            SELECT COUNT(*)
+            FROM cache_lists
+            WHERE id = '".Db::escape_string($list_id)."'
+              AND user_id = '".Db::escape_string($user_id)."'
+        ");
+        if ($count == 0) {
+            throw new InvalidParam('list_id', 'The specified list does not exist or does not belong to you.');
+        }
+
+        $cache_codes_array = array_unique(explode('|', $cache_codes));
 
         // Check the length
-        if (count($cacheCodesArray) > 500) {
+        if (count($cache_codes_array) > 500) {
             throw new InvalidParam('cache_codes', 'The number of cache codes exceeds the limit of 500.');
         }
 
         // Escape cache codes and build the SQL query
-        $escapedCacheCodes = implode("','", array_map('\okapi\core\Db::escape_string', $cacheCodesArray));
+        $escaped_cache_codes = implode("','", array_map('\okapi\core\Db::escape_string', $cache_codes_array));
 
         // Fetch cache_ids from the caches table using INSERT IGNORE
         $rs = Db::query("
             INSERT IGNORE INTO cache_list_items (cache_list_id, cache_id)
-            SELECT '$listId', cache_id
+            SELECT '".Db::escape_string($list_id)."', cache_id
             FROM caches
-            WHERE wp_oc IN ('$escapedCacheCodes')
+            WHERE wp_oc IN ('$escaped_cache_codes')
         ");
 
-        $insertedCount = $rs->rowCount(); // Get the number of affected rows
+        $inserted_count = $rs->rowCount();
 
         $result = array(
             'success'     => true,
-            'added_count' => $insertedCount
+            'added_count' => $inserted_count
         );
 
         return Okapi::formatted_response($request, $result);
     }
 }
-

okapi/services/lists/add_caches/docs.xml

@@ -5,7 +5,7 @@
         <p>This method is used to add geocaches to an existing list.</p>
     </desc>
     <req name="list_id">
-        <p>The id of a list. List IDs can be obtained by ::service/lists/query</p>
+        <p>The id of a list. List IDs can be obtained by ::services/lists/query</p>
     </req>
     <req name="cache_codes">
     <p>A pipe separated list of cache_codes to be added to the list.</p>

okapi/services/lists/create/WebService.php

@@ -3,10 +3,10 @@
 namespace okapi\services\lists\create;
 
 use okapi\core\Db;
+use okapi\core\Exception\InvalidParam;
 use okapi\core\Okapi;
 use okapi\core\Request\OkapiRequest;
 use okapi\Settings;
-use okapi\core\Exception\InvalidParam;
 
 class WebService
 {
@@ -28,66 +28,67 @@ public static function call(OkapiRequest $request)
         {
             $user_id = $request->token->user_id;
 
-            $listName        = $request->get_parameter('list_name');
-            $listDescription = $request->get_parameter('list_description');
-            $listStatus      = $request->get_parameter('list_status');
-            $isWatched       = $request->get_parameter('is_watched');
-            $listPassword    = $request->get_parameter('list_password');
+            $list_name        = $request->get_parameter('list_name');
+            $list_description = $request->get_parameter('list_description');
+            $list_status      = $request->get_parameter('list_status');
+            $is_watched       = $request->get_parameter('is_watched');
+            $list_password    = $request->get_parameter('list_password');
 
-            if (empty($listName)) {
+            if (empty($list_name)) {
                 throw new InvalidParam('list_name', 'list_name is mandatory and must not be empty.');
             }
 
-            $insertFields = array(
-                'name' => Db::escape_string($listName),
+            $insert_fields = array(
+                'name' => Db::escape_string($list_name),
                 'user_id' => Db::escape_string($user_id)
             );
 
-            if (!empty($listDescription)) {
-                $insertFields['description'] = Db::escape_string($listDescription);
+            if (!empty($list_description)) {
+                $insert_fields['description'] = Db::escape_string($list_description);
             }
 
-            if ($listStatus !== null && $listStatus !== '') {
-                $listStatus = (int)$listStatus;
-                if (!in_array($listStatus, [0, 2, 3])) {
+            if ($list_status !== null && $list_status !== '') {
+                $list_status = (int)$list_status;
+                if (!in_array($list_status, [0, 2, 3])) {
                     throw new InvalidParam('list_status', 'list_status must be a valid value (0, 2, 3).');
                 }
-                $insertFields['is_public'] = $listStatus;
+                $insert_fields['is_public'] = $list_status;
 
                 // Handle list_password only if list_status is 0 (private)
-                if ($listStatus == 0) {
-                    if (isset($listPassword) && $listPassword !== '') {
-                        $insertFields['password'] = substr(Db::escape_string($listPassword), 0, 16);
+                if ($list_status == 0) {
+                    if (isset($list_password) && $list_password !== '') {
+                        $insert_fields['password'] = Db::escape_string(substr($list_password, 0, 16));
                     }
                 }
             }
 
-            $columns = implode(', ', array_keys($insertFields));
-            $values = "'" . implode("', '", $insertFields) . "'";
+            $columns = implode(', ', array_keys($insert_fields));
+            $values = "'" . implode("', '", $insert_fields) . "'";
 
-            $insertQuery = "INSERT INTO cache_lists ($columns) VALUES ($values)";
-            Db::query($insertQuery);
+            $insert_query = "INSERT INTO cache_lists ($columns) VALUES ($values)";
+            Db::query($insert_query);
 
-            $listId = Db::last_insert_id();
+            $list_id = Db::last_insert_id();
 
             // Handle is_watched
-            if ($isWatched !== null && $isWatched !== '') {
-                $isWatched = (int)$isWatched;
-                if (!in_array($isWatched, [0, 1])) {
+            if ($is_watched !== null && $is_watched !== '') {
+                $is_watched = (int)$is_watched;
+                if (!in_array($is_watched, [0, 1])) {
                     throw new InvalidParam('is_watched', 'is_watched must be a valid value (0, 1).');
                 }
 
-                // Insert a new record
-                Db::query("INSERT INTO cache_list_watches (cache_list_id, user_id, is_watched) VALUES (LAST_INSERT_ID(), '$user_id', $isWatched)");
+                Db::query("
+                    INSERT INTO cache_list_watches (cache_list_id, user_id, is_watched)
+                    VALUES ('".Db::escape_string($list_id)."', '".Db::escape_string($user_id)."', '".Db::escape_string($is_watched)."')
+                ");
             }
 
             $result = array(
                 'success' => true,
                 'message' => 'Cache list created successfully.',
-                'list_id' => $listId
+                'list_id' => $list_id
             );
         }
         return Okapi::formatted_response($request, $result);
     }
 }
-

okapi/services/lists/delete/WebService.php

@@ -3,10 +3,10 @@
 namespace okapi\services\lists\delete;
 
 use okapi\core\Db;
+use okapi\core\Exception\InvalidParam;
 use okapi\core\Okapi;
 use okapi\core\Request\OkapiRequest;
 use okapi\Settings;
-use okapi\core\Exception\InvalidParam;
 
 class WebService
 {
@@ -28,23 +28,27 @@ public static function call(OkapiRequest $request)
         {
             $user_id = $request->token->user_id;
 
-            $listId = $request->get_parameter('list_id');
+            $list_id = $request->get_parameter('list_id');
 
-            if (empty($listId) || !is_numeric($listId)) {
+            if (empty($list_id) || !is_numeric($list_id)) {
                 throw new InvalidParam('list_id', 'list_id is mandatory and must be numeric.');
             }
 
-            // Check if the list exists
-            $countQuery = Db::query("SELECT COUNT(*) AS count FROM cache_lists WHERE id = '$listId' AND user_id = '$user_id'");
-            $listExists = Db::fetch_assoc($countQuery)['count'];
-            if ($listExists == 0) {
+            // Check if the list exists and belongs to the user
+            $count = Db::select_value("
+                SELECT COUNT(*)
+                FROM cache_lists
+                WHERE id = '".Db::escape_string($list_id)."'
+                  AND user_id = '".Db::escape_string($user_id)."'
+            ");
+            if ($count == 0) {
                 throw new InvalidParam('list_id', 'The specified list does not exist.');
             }
 
-            // Proceed with the deletion process
-            Db::query("DELETE FROM cache_lists WHERE id = '$listId'");
-            Db::query("DELETE FROM cache_list_watches WHERE cache_list_id = '$listId'");
-            Db::query("DELETE FROM cache_list_items WHERE cache_list_id   = '$listId'");
+            // Delete child records before parent to avoid FK constraint issues
+            Db::query("DELETE FROM cache_list_items WHERE cache_list_id = '".Db::escape_string($list_id)."'");
+            Db::query("DELETE FROM cache_list_watches WHERE cache_list_id = '".Db::escape_string($list_id)."'");
+            Db::query("DELETE FROM cache_lists WHERE id = '".Db::escape_string($list_id)."'");
 
             $result = array(
                 'success' => true,
@@ -54,4 +58,3 @@ public static function call(OkapiRequest $request)
         return Okapi::formatted_response($request, $result);
     }
 }
-

okapi/services/lists/get_caches/WebService.php

@@ -3,10 +3,11 @@
 namespace okapi\services\lists\get_caches;
 
 use okapi\core\Db;
+use okapi\core\Exception\BadRequest;
+use okapi\core\Exception\InvalidParam;
 use okapi\core\Okapi;
 use okapi\core\Request\OkapiRequest;
 use okapi\Settings;
-use okapi\core\Exception\InvalidParam;
 
 class WebService
 {
@@ -19,43 +20,52 @@ public static function options()
 
     public static function call(OkapiRequest $request)
     {
-        $result = array(
-            'success' => false
-        );
+        if (Settings::get('OC_BRANCH') != 'oc.de')
+            throw new BadRequest('This method is not supported in this OKAPI installation.');
 
         $user_id = $request->token->user_id;
-        $listId = $request->get_parameter('list_id');
+        $list_id = $request->get_parameter('list_id');
 
-        if (empty($listId)) {
+        if (empty($list_id)) {
             throw new InvalidParam('list_id', 'list_id is mandatory and must not be empty.');
         }
 
+        // Verify list ownership
+        $count = Db::select_value("
+            SELECT COUNT(*)
+            FROM cache_lists
+            WHERE id = '".Db::escape_string($list_id)."'
+              AND user_id = '".Db::escape_string($user_id)."'
+        ");
+        if ($count == 0) {
+            throw new InvalidParam('list_id', 'The specified list does not exist or does not belong to you.');
+        }
+
         // Fetch cache_ids associated with the specified list
-        $cacheIdsArray = Db::select_column("
+        $cache_ids_array = Db::select_column("
             SELECT cache_id
             FROM cache_list_items
-            WHERE cache_list_id = '$listId'
+            WHERE cache_list_id = '".Db::escape_string($list_id)."'
         ");
 
-        $cacheCount = count($cacheIdsArray);
+        $cache_count = count($cache_ids_array);
 
         // Fetch cache_codes based on cache_ids
-        $cacheCodesArray = array();
+        $cache_codes_array = array();
 
-        if (!empty($cacheIdsArray)) {
-            $cacheIds = implode(',', $cacheIdsArray);
-            $cacheCodesArray = Db::select_column(
-                "SELECT wp_oc FROM caches WHERE cache_id IN ($cacheIds)"
+        if (!empty($cache_ids_array)) {
+            $escaped_ids = implode(',', array_map('intval', $cache_ids_array));
+            $cache_codes_array = Db::select_column(
+                "SELECT wp_oc FROM caches WHERE cache_id IN ($escaped_ids)"
             );
         }
 
         $result = array(
             'success' => true,
-            'cache_codes' => implode('|', $cacheCodesArray),
-            'cache_count' => $cacheCount
+            'cache_codes' => implode('|', $cache_codes_array),
+            'cache_count' => $cache_count
         );
 
         return Okapi::formatted_response($request, $result);
     }
 }
-

okapi/services/lists/query/WebService.php

@@ -2,14 +2,9 @@
 
 namespace okapi\services\lists\query;
 
-use okapi\core\Exception\InvalidParam;
-use okapi\core\Exception\ParamMissing;
 use okapi\core\Db;
 use okapi\core\Okapi;
-use okapi\core\OkapiServiceRunner;
-use okapi\core\Request\OkapiInternalRequest;
 use okapi\core\Request\OkapiRequest;
-use okapi\services\logs\LogsCommon;
 use okapi\Settings;
 
 class WebService
@@ -24,7 +19,7 @@ public static function options()
     public static function call(OkapiRequest $request)
     {
         $result = array(
-            'success' => false   // if the installation doesn't support it
+            'success' => false
         );
 
         if (Settings::get('OC_BRANCH') == 'oc.de')
@@ -59,12 +54,11 @@ public static function call(OkapiRequest $request)
                 $lists[] = $list;
             }
 
-            $result = json_encode($lists, JSON_PRETTY_PRINT);
+            $result = array(
+                'success' => true,
+                'lists' => $lists
+            );
         }
         return Okapi::formatted_response($request, $result);
     }
-
-
-    // ------------------------------------------------------------------
-
 }