From 65383e5b4cedbf79353b31c2df8c20077a54d77b Mon Sep 17 00:00:00 2001
From: Nathaniel Caza <mastercactapus@gmail.com>
Date: Wed, 21 Jun 2023 14:20:33 -0500
Subject: [PATCH 1/5] validate extra args in procwrap

---
 devtools/procwrap/main.go | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/devtools/procwrap/main.go b/devtools/procwrap/main.go
index 478b2f7969..7acc6862c4 100644
--- a/devtools/procwrap/main.go
+++ b/devtools/procwrap/main.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
+	"strings"
 	"sync"
 	"time"
 )
@@ -68,7 +69,27 @@ func handleStop(w http.ResponseWriter, req *http.Request) {
 
 func handleStart(w http.ResponseWriter, req *http.Request) {
 	_ = req.ParseForm()
-	start(req.Form["extra-arg"])
+	extraArgs := req.Form["extra-arg"]
+	if len(extraArgs) == 0 {
+		start(nil)
+		return
+	}
+
+	if len(extraArgs) != 2 {
+		http.Error(w, "invalid extra-arg", http.StatusBadRequest)
+		return
+	}
+	if extraArgs[0] != "--experimental" {
+		http.Error(w, "invalid extra-arg", http.StatusBadRequest)
+		return
+	}
+	flags := strings.Split(extraArgs[1], ",")
+	if extraArgs[1] == "" || len(flags) == 0 || len(flags) > 10 {
+		http.Error(w, "invalid extra-arg", http.StatusBadRequest)
+		return
+	}
+
+	start([]string{"--experimental", strings.Join(flags, ",")})
 }
 
 func handleSignal(w http.ResponseWriter, req *http.Request) {

From 86673ca90852e112e91cd7d9dbe722ae50d13edf Mon Sep 17 00:00:00 2001
From: Nathaniel Caza <mastercactapus@gmail.com>
Date: Wed, 21 Jun 2023 14:23:46 -0500
Subject: [PATCH 2/5] only allow 32 bits for int values

---
 devtools/configparams/run.go       | 2 +-
 graphql2/mapconfig.go              | 2 +-
 schedule/oncallnotificationrule.go | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/devtools/configparams/run.go b/devtools/configparams/run.go
index 14d72b11e1..5a7fb9d809 100644
--- a/devtools/configparams/run.go
+++ b/devtools/configparams/run.go
@@ -79,7 +79,7 @@ func ApplyConfigValues(cfg config.Config, vals []ConfigValueInput) (config.Confi
 		if v == "" {
 			return 0, nil
 		}
-		val, err := strconv.ParseInt(v, 10, 64)
+		val, err := strconv.ParseInt(v, 10, 32)
 		if err != nil {
 			return 0, validation.NewFieldError("\""+id+"\".Value", "integer value invalid: " + err.Error())
 		}
diff --git a/graphql2/mapconfig.go b/graphql2/mapconfig.go
index 44b756a533..62659b81df 100644
--- a/graphql2/mapconfig.go
+++ b/graphql2/mapconfig.go
@@ -136,7 +136,7 @@ func ApplyConfigValues(cfg config.Config, vals []ConfigValueInput) (config.Confi
 		if v == "" {
 			return 0, nil
 		}
-		val, err := strconv.ParseInt(v, 10, 64)
+		val, err := strconv.ParseInt(v, 10, 32)
 		if err != nil {
 			return 0, validation.NewFieldError("\""+id+"\".Value", "integer value invalid: "+err.Error())
 		}
diff --git a/schedule/oncallnotificationrule.go b/schedule/oncallnotificationrule.go
index f74a8eaded..557d6fa9da 100644
--- a/schedule/oncallnotificationrule.go
+++ b/schedule/oncallnotificationrule.go
@@ -91,7 +91,7 @@ func (r *RuleID) UnmarshalText(data []byte) error {
 	if err != nil {
 		return err
 	}
-	i, err := strconv.ParseInt(string(data[37:]), 10, 64)
+	i, err := strconv.ParseInt(string(data[37:]), 10, 32)
 	if err != nil {
 		return err
 	}

From 9c747bb5d3e26d3735896421dee15d739839d387 Mon Sep 17 00:00:00 2001
From: Nathaniel Caza <mastercactapus@gmail.com>
Date: Wed, 21 Jun 2023 14:29:43 -0500
Subject: [PATCH 3/5] use built in methods to handle urls

---
 web/src/app/util/query_param.js | 51 ++++++---------------------------
 1 file changed, 8 insertions(+), 43 deletions(-)

diff --git a/web/src/app/util/query_param.js b/web/src/app/util/query_param.js
index 643bacc890..eca60dcebd 100644
--- a/web/src/app/util/query_param.js
+++ b/web/src/app/util/query_param.js
@@ -1,58 +1,23 @@
-const quoteRx = (s) => (s || '').replace(/[.?*+^$[\]\\(){}|-]/g, '\\$&')
-
 export function getParameterByName(name, url = global.location.href) {
-  name = name.replace(/[[\]]/g, '\\$&')
-  const rx = new RegExp('[?&]' + quoteRx(name) + '(=([^&#]*)|&|#|$)')
-  const m = rx.exec(url)
-  if (!m) return null
-  if (!m[2]) return ''
-
-  return decodeURIComponent(m[2].replace(/\+/g, ' '))
+  return new URL(url).searchParams.get(name)
 }
 
 // returns hash of all parameters with keys and values
 export function getAllParameters(url = global.location.href) {
-  // match and select any parameters in the url
-  const rx = /[?&](\w+)=(?:([^&#]*)|&|#|$)/
-
-  const queries = {}
-  // find the first match
-  let m = rx.exec(url)
-  while (m) {
-    // while we have a match
-    url = url.replace(m[0], '')
-    queries[m[1]] = decodeURIComponent(m[2].replace(/\+/g, ' '))
-    m = rx.exec(url) // find the next match
+  const q = {}
+  for (const [key, value] of new URL(url).searchParams) {
+    q[key] = value
   }
 
-  return queries
+  return q
 }
 
 // takes in a var name, var value, and optionally a url to read previous params from.
 // returns a string of the params and the maintained hash (DOES NOT RETURN THE PATH)
 export function setParameterByName(name, value, url = global.location.href) {
-  // fetch all current url queries
-  const queries = getAllParameters(url)
-
-  // set new value
-  queries[name] = encodeURIComponent(value)
-
-  // rebuild the url -- omit the parameter `name` if value is null
-  const queryList = Object.keys(queries)
-    .sort((a, b) => (a < b ? -1 : 1))
-    .filter((i) => !(value === null && i === name))
-    .map((query) => {
-      return query + '=' + queries[query]
-    })
-
-  // match against anything that is after the # in the address
-  const rx = /(#.*)/
-  const m = rx.exec(url)
-  let hash = ''
-  if (m) hash = m[1]
-  const newURL = '?' + queryList.join('&') + hash
-
-  return newURL
+  const u = new URL(url)
+  u.searchParams.set(name, value)
+  return u.toString()
 }
 
 // clears the parameter given from the current url

From 207a908493d368ff39a42561be7b62f69865c8fd Mon Sep 17 00:00:00 2001
From: Nathaniel Caza <mastercactapus@gmail.com>
Date: Wed, 21 Jun 2023 15:11:12 -0500
Subject: [PATCH 4/5] remove unused oauthautorize page

---
 devtools/mockslack/oauthauthorize.go   | 81 --------------------------
 devtools/mockslack/oauthauthorize.html | 48 ---------------
 devtools/mockslack/server.go           |  1 -
 3 files changed, 130 deletions(-)
 delete mode 100644 devtools/mockslack/oauthauthorize.go
 delete mode 100644 devtools/mockslack/oauthauthorize.html

diff --git a/devtools/mockslack/oauthauthorize.go b/devtools/mockslack/oauthauthorize.go
deleted file mode 100644
index 4e8689259e..0000000000
--- a/devtools/mockslack/oauthauthorize.go
+++ /dev/null
@@ -1,81 +0,0 @@
-package mockslack
-
-import (
-	_ "embed"
-	"html/template"
-	"log"
-	"net/http"
-	"net/url"
-	"strings"
-)
-
-//go:embed oauthauthorize.html
-var authPageHTML string
-
-var authPage = template.Must(
-	template.New("authorize").
-		Funcs(template.FuncMap{"StringsJoin": strings.Join}).
-		Parse(authPageHTML))
-
-func (s *Server) ServeOAuthAuthorize(w http.ResponseWriter, req *http.Request) {
-	ctx := req.Context()
-	if respondErr(w, checkPermission(ctx, "user")) {
-		return
-	}
-
-	clientID := req.FormValue("client_id")
-	var renderData struct {
-		AppName  string
-		UserName string
-		Scopes   []string
-		Data     url.Values
-	}
-	renderData.Data = req.Form
-
-	redir, err := url.Parse(req.FormValue("redirect_uri"))
-	if err != nil {
-		respondWith(w, &response{Err: "bad_redirect_uri"})
-		return
-	}
-
-	errResp := func(msg string) {
-		q := redir.Query()
-		q.Set("state", req.FormValue("state"))
-		q.Set("error", msg)
-		redir.RawQuery = q.Encode()
-		http.Redirect(w, req, redir.String(), http.StatusFound)
-	}
-
-	app := s.app(clientID)
-	if app == nil {
-		errResp("invalid_client_id")
-		return
-	}
-	renderData.AppName = app.Name
-
-	if req.FormValue("action") == "cancel" {
-		errResp("access_denied")
-		return
-	}
-
-	uid := userID(ctx)
-	renderData.UserName = s.user(uid).Name
-	scopes := strings.Split(req.FormValue("scope"), " ")
-	renderData.Scopes = scopes
-	if req.FormValue("action") != "confirm" {
-		err = authPage.Execute(w, renderData)
-		if err != nil {
-			log.Println("ERROR:", err)
-		}
-		return
-	}
-
-	code := s.addUserAppScope(uid, clientID, scopes...)
-
-	q := redir.Query()
-	q.Del("error")
-	q.Set("code", code)
-	q.Set("state", req.FormValue("state"))
-	redir.RawQuery = q.Encode()
-	http.Redirect(w, req, redir.String(), http.StatusFound)
-}
diff --git a/devtools/mockslack/oauthauthorize.html b/devtools/mockslack/oauthauthorize.html
deleted file mode 100644
index 0c69317927..0000000000
--- a/devtools/mockslack/oauthauthorize.html
+++ /dev/null
@@ -1,48 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta charset="UTF-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta http-equiv="X-UA-Compatible" content="ie=edge" />
-    <title>Mock Slack - Authorize</title>
-  </head>
-  <body>
-    <center>
-      <h1>Authorize</h1>
-      <h2>Logged in as: {{.UserName}}</h2>
-      <h3>
-        Allow the application {{.AppName}} access to the following scopes:
-      </h3>
-      <ul>
-        {{range .Scopes}}
-        <li>{{.}}</li>
-        {{end}}
-      </ul>
-      <hr />
-      <form method="POST">
-        {{- range $key, $value := .Data}} <input name={{ $key }} type="hidden"
-        value={{StringsJoin $value " "}} /> {{- end}}
-
-        <input id="action" type="hidden" name="action" value="confirm" />
-        <button
-          type="submit"
-          style="color: gray; width: 20%; height: 2em; font-size: 3em"
-          onclick="document.getElementById('action').setAttribute('value', 'cancel')"
-        >
-          Cancel
-        </button>
-        <button
-          type="submit"
-          style="
-            background-color: green;
-            width: 20%;
-            height: 2em;
-            font-size: 3em;
-          "
-        >
-          Authorize
-        </button>
-      </form>
-    </center>
-  </body>
-</html>
diff --git a/devtools/mockslack/server.go b/devtools/mockslack/server.go
index 91c5a4229a..5c7acd97d0 100644
--- a/devtools/mockslack/server.go
+++ b/devtools/mockslack/server.go
@@ -43,7 +43,6 @@ func NewServer() *Server {
 	srv.mux.HandleFunc("/api/groups.create", srv.ServeGroupsCreate)
 	srv.mux.HandleFunc("/api/team.info", srv.ServeTeamInfo)
 	// TODO: history, leave, join
-	srv.mux.HandleFunc("/oauth/authorize", srv.ServeOAuthAuthorize)
 
 	srv.mux.HandleFunc("/stats", func(w http.ResponseWriter, req *http.Request) {
 		srv.state.mx.Lock()

From b67febb6c7d25d62e45e947d9ca35854bc7ca949 Mon Sep 17 00:00:00 2001
From: Nathaniel Caza <mastercactapus@gmail.com>
Date: Wed, 21 Jun 2023 15:17:50 -0500
Subject: [PATCH 5/5] remove unused code

---
 devtools/mockslack/user.go | 27 ---------------------------
 1 file changed, 27 deletions(-)

diff --git a/devtools/mockslack/user.go b/devtools/mockslack/user.go
index e86fa24b5c..dfca73235b 100644
--- a/devtools/mockslack/user.go
+++ b/devtools/mockslack/user.go
@@ -30,30 +30,3 @@ func (st *state) newUser(u User) User {
 
 	return u
 }
-
-func (st *state) addUserAppScope(userID, clientID string, scopes ...string) string {
-	st.mx.Lock()
-	defer st.mx.Unlock()
-
-	if st.users[userID].appTokens[clientID] == nil {
-		tok := &AuthToken{ID: st.gen.UserAccessToken(), User: userID, Scopes: scopes}
-		st.tokens[tok.ID] = tok
-		st.users[userID].appTokens[clientID] = tok
-
-		code := st.gen.TokenCode()
-		st.tokenCodes[code] = &tokenCode{AuthToken: tok, ClientID: clientID}
-		return code
-	}
-
-	tok := st.users[userID].appTokens[clientID]
-
-	for _, scope := range scopes {
-		if !contains(tok.Scopes, scope) {
-			tok.Scopes = append(tok.Scopes, scope)
-		}
-	}
-
-	code := st.gen.TokenCode()
-	st.tokenCodes[code] = &tokenCode{AuthToken: tok, ClientID: clientID}
-	return code
-}