Merge pull request #282 from dmitriy-kharchenko/master

Added validation and error checking for incoming updates in ListenFor…
2020-07-29 11:42:08 -04:00 · 2020-07-29 11:42:08 -04:00 · fb8759e91d
parent dff2120d96 b6575a2934
commit fb8759e91d
3 changed files with 31 additions and 12 deletions
--- a/bot.go
+++ b/bot.go
@ -557,21 +557,35 @@ func (bot *BotAPI) ListenForWebhook(pattern string) UpdatesChannel {
 	ch := make(chan Update, bot.Buffer)

 	http.HandleFunc(pattern, func(w http.ResponseWriter, r *http.Request) {
-		ch <- bot.HandleUpdate(w, r)
+		update, err := bot.HandleUpdate(r)
+		if err != nil {
+			errMsg, _ := json.Marshal(map[string]string{"error": err.Error()})
+			w.WriteHeader(http.StatusBadRequest)
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write(errMsg)
+			return
+		}
+
+		ch <- *update
 	})

 	return ch
 }

 // HandleUpdate parses and returns update received via webhook
-func (bot *BotAPI) HandleUpdate(res http.ResponseWriter, req *http.Request) Update {
-  bytes, _ := ioutil.ReadAll(req.Body)
-  req.Body.Close()
+func (bot *BotAPI) HandleUpdate(r *http.Request) (*Update, error) {
+	if r.Method != http.MethodPost {
+		err := errors.New("wrong HTTP method required POST")
+		return nil, err
+	}

 	var update Update
-  json.Unmarshal(bytes, &update)
+	err := json.NewDecoder(r.Body).Decode(&update)
+	if err != nil {
+		return nil, err
+	}

-  return update
+	return &update, nil
 }

 // AnswerInlineQuery sends a response to an inline query.
--- a/bot_test.go
+++ b/bot_test.go
@ -645,7 +645,12 @@ func ExampleWebhookHandler() {
 	}

 	http.HandleFunc("/"+bot.Token, func(w http.ResponseWriter, r *http.Request) {
-		log.Printf("%+v\n", bot.HandleUpdate(w, r))
+		update, err := bot.HandleUpdate(r)
+		if err != nil {
+			log.Printf("%+v\n", err.Error())
+		} else {
+			log.Printf("%+v\n", *update)
+		}
 	})

 	go http.ListenAndServeTLS("0.0.0.0:8443", "cert.pem", "key.pem", nil)