From 5f9bc570696c6b8deb465d273bf539c92ad4afbf Mon Sep 17 00:00:00 2001
From: Arjun Satarkar <me@arjunsatarkar.net>
Date: Fri, 4 Aug 2023 05:47:14 +0530
Subject: Do more user input validation

---
 serve.py  | 12 +++++++++---
 tagrss.py | 22 ++++++++++++++++------
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/serve.py b/serve.py
index d04509f..cec578d 100755
--- a/serve.py
+++ b/serve.py
@@ -210,13 +210,19 @@ def add_feed_effect():
 def manage_feed_view():
     try:
         feed_id_raw: str = bottle.request.query["feed"]  # type: ignore
-        feed_id: int = int(feed_id_raw)
     except KeyError:
         raise bottle.HTTPError(400, "Feed ID not given.")
+    try:
+        feed_id: int = int(feed_id_raw)
+    except ValueError:
+        raise bottle.HTTPError(400, f'"{feed_id_raw}" is not a valid feed ID.')
     feed: dict[str, typing.Any] = {}
     feed["id"] = feed_id
-    feed["source"] = core.get_feed_source(feed_id)
-    feed["title"] = core.get_feed_title(feed_id)
+    try:
+        feed["source"] = core.get_feed_source(feed_id)
+        feed["title"] = core.get_feed_title(feed_id)
+    except tagrss.FeedDoesNotExistError:
+        raise bottle.HTTPError(404, f"No feed has ID {feed_id}.")
     feed["tags"] = core.get_feed_tags(feed_id)
     feed["serialised_tags"] = serialise_tags(feed["tags"])
     return bottle.template("manage_feed", feed=feed)
diff --git a/tagrss.py b/tagrss.py
index 4370b7a..9c134a5 100644
--- a/tagrss.py
+++ b/tagrss.py
@@ -38,6 +38,10 @@ class SqliteMissingForeignKeySupportError(StorageError):
     pass
 
 
+class FeedDoesNotExistError(StorageError):
+    pass
+
+
 class FeedFetchError(Exception):
     def __init__(
         self,
@@ -233,15 +237,21 @@ class SqliteStorageProvider(StorageProvider):
 
     def get_feed_source(self, feed_id: FeedId) -> str:
         with self.__get_connection(use_transaction=False) as conn:
-            return conn.execute(
-                "SELECT source  FROM feeds WHERE id = ?;", (feed_id,)
-            ).fetchone()[0]
+            try:
+                return conn.execute(
+                    "SELECT source  FROM feeds WHERE id = ?;", (feed_id,)
+                ).fetchone()[0]
+            except TypeError:
+                raise FeedDoesNotExistError
 
     def get_feed_title(self, feed_id: FeedId) -> str:
         with self.__get_connection(use_transaction=False) as conn:
-            return conn.execute(
-                "SELECT title FROM feeds WHERE id = ?;", (feed_id,)
-            ).fetchone()[0]
+            try:
+                return conn.execute(
+                    "SELECT title FROM feeds WHERE id = ?;", (feed_id,)
+                ).fetchone()[0]
+            except TypeError:
+                raise FeedDoesNotExistError
 
     def get_feed_tags(self, feed_id: FeedId) -> list[str]:
         with self.__get_connection(use_transaction=False) as conn:
-- 
cgit v1.2.3-57-g22cb