From 799d3519175dd2d9690f63b85bc3c58a3953e907 Mon Sep 17 00:00:00 2001
From: Marcus Kammer <marcus.kammer@mailbox.org>
Date: Sun, 2 Jun 2024 13:12:56 +0200
Subject: [PATCH] Check if survey id is valid

---
 src/handlers/questionnaire.lisp | 3 ++-
 src/handlers/survey.lisp        | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/handlers/questionnaire.lisp b/src/handlers/questionnaire.lisp
index 28ed884..6c05dd0 100644
--- a/src/handlers/questionnaire.lisp
+++ b/src/handlers/questionnaire.lisp
@@ -5,7 +5,8 @@
   (let ((parts (split-uri uri)))
     (and (= (length parts) 3)
          (string= (first parts) "survey")
-         (every #'digit-char-p (second parts)))))
+         (every #'digit-char-p (second parts))
+         (valid-survey-id-p (parse-integer (second parts))))))
 
 (defun questionnaire-uri (request)
   (questionnaire-uri-p (request-uri request)))
diff --git a/src/handlers/survey.lisp b/src/handlers/survey.lisp
index 1097d66..5889094 100644
--- a/src/handlers/survey.lisp
+++ b/src/handlers/survey.lisp
@@ -2,17 +2,19 @@
 
 (defun survey-uri-p (uri)
   "Check if the request URI matches the pattern '/survey/<numeric>'"
+  (check-type uri string)
   (let ((parts (split-uri uri)))
     (and (= (length parts) 2)
          (string= (first parts) "survey")
-         (every #'digit-char-p (second parts)))))
+         (every #'digit-char-p (second parts))
+         (valid-survey-id-p (parse-integer (second parts))))))
 
 (defun survey-uri (request)
   (let ((uri (request-uri request)))
     (survey-uri-p uri)))
 
 (define-easy-handler (survey :uri #'survey-uri) ()
-  (let* ((id (subseq (request-uri*) (length "/survey/")))
+  (let* ((id (second (split-uri (request-uri*))))
          (survey (assoc (parse-integer id)
                         (load-response (make-surveys-db-path)))))
     (ml-survey/views:survey survey)))