From 95264bb7edad2a22c3a4db6a91082389732a26c8 Mon Sep 17 00:00:00 2001
From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
Date: Mon, 21 Mar 2016 00:01:43 +0100
Subject: [PATCH] Make the JavaScript validate the FENs before sending them off
 to the server, which is not hardened.

---
 www/js/hash-lookup.js | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/www/js/hash-lookup.js b/www/js/hash-lookup.js
index d9499d0..9ecca53 100644
--- a/www/js/hash-lookup.js
+++ b/www/js/hash-lookup.js
@@ -7,7 +7,14 @@ var hashprobe_proto = grpc.load(PROTO_PATH).hashprobe;
 // TODO: Make destination configurable.
 var client = new hashprobe_proto.HashProbe('localhost:50051', grpc.credentials.createInsecure());
 
+var board = new Chess();
+
 var handle_request = function(fen, response) {
+	if (!board.validate_fen(fen).valid) {
+		response.writeHead(400, {});
+		response.end();
+		return;
+	}
 	client.probe({fen: fen}, function(err, probe_response) {
 		if (err) {
 			response.writeHead(500, {});
@@ -20,8 +27,6 @@ var handle_request = function(fen, response) {
 exports.handle_request = handle_request;
 
 var handle_response = function(fen, response, probe_response) {
-	var board = new Chess();
-
 	var lines = {};
 
 	var root = translate_line(board, fen, probe_response['root'], true);
-- 
2.39.2