From 33a3c455e0f1346390cdd75d9cef997c41ed9e01 Mon Sep 17 00:00:00 2001
From: Mint <>
Date: Sun, 27 Nov 2022 23:02:12 +0300
Subject: [PATCH] Prevent single-character search DoS

---
 api.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/api.py b/api.py
index 68be9f2..2aa0613 100644
--- a/api.py
+++ b/api.py
@@ -34,7 +34,7 @@ def info():
 def blocked(domain: str = None, reason: str = None):
     if domain == None and reason == None:
         raise HTTPException(status_code=400, detail="No filter specified")
-    conn = sqlite3.connect("blocks.db")
+    if domain == None and reason == None:
     c = conn.cursor()
     if domain != None:
         wildchar = "*." + ".".join(domain.split(".")[-domain.count("."):])
@@ -42,7 +42,10 @@ def blocked(domain: str = None, reason: str = None):
         c.execute("select blocker, blocked, block_level, reason from blocks where blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ? or blocked = ?",
                   (domain, "*." + domain, wildchar, get_hash(domain), punycode, "*." + punycode))
     else:
-        c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",))
+        if len(reason) < 3:
+            raise HTTPException(status_code=400, detail="Keyword is shorter than three characters")
+        else:
+            c.execute("select blocker, blocked, reason, block_level from blocks where reason like ? and reason != ''", ("%"+reason+"%",))
     blocks = c.fetchall()
     conn.close()