From 99ade0fb09ee061cca32a93f018b170009b44040 Mon Sep 17 00:00:00 2001
From: Carlos Quintana <carlos.quintana@proton.ch>
Date: Mon, 2 Dec 2024 09:03:22 +0100
Subject: [PATCH] fix: api crashes

---
 app/api/views/alias.py            |  8 +++++++-
 app/api/views/new_custom_alias.py | 24 ++++++++++++++++++------
 app/models.py                     |  2 +-
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index 7630b4b49..c4592fab0 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -299,7 +299,13 @@ def update_alias(alias_id):
         changed = True
 
     if "mailbox_ids" in data:
-        mailbox_ids = [int(m_id) for m_id in data.get("mailbox_ids")]
+        mailbox_ids = []
+        for mailbox_id in data.get("mailbox_ids"):
+            try:
+                mailbox_ids.append(int(mailbox_id))
+            except ValueError:
+                return jsonify(error="Invalid mailbox_id"), 400
+
         err = set_mailboxes_for_alias(
             user_id=user.id, alias=alias, mailbox_ids=mailbox_ids
         )
diff --git a/app/api/views/new_custom_alias.py b/app/api/views/new_custom_alias.py
index 6cb78c2f5..94d48a99c 100644
--- a/app/api/views/new_custom_alias.py
+++ b/app/api/views/new_custom_alias.py
@@ -1,3 +1,4 @@
+from email_validator import EmailNotValidError
 from flask import g
 from flask import jsonify, request
 
@@ -93,12 +94,15 @@ def new_custom_alias_v2():
             400,
         )
 
-    alias = Alias.create(
-        user_id=user.id,
-        email=full_alias,
-        mailbox_id=user.default_mailbox_id,
-        note=note,
-    )
+    try:
+        alias = Alias.create(
+            user_id=user.id,
+            email=full_alias,
+            mailbox_id=user.default_mailbox_id,
+            note=note,
+        )
+    except EmailNotValidError:
+        return jsonify(error="Email is not valid"), 400
 
     Session.commit()
 
@@ -154,8 +158,16 @@ def new_custom_alias_v3():
         return jsonify(error="request body does not follow the required format"), 400
 
     alias_prefix_data = data.get("alias_prefix", "") or ""
+
+    if not isinstance(alias_prefix_data, str):
+        return jsonify(error="request body does not follow the required format"), 400
+
     alias_prefix = alias_prefix_data.strip().lower().replace(" ", "")
     signed_suffix = data.get("signed_suffix", "") or ""
+
+    if not isinstance(signed_suffix, str):
+        return jsonify(error="request body does not follow the required format"), 400
+
     signed_suffix = signed_suffix.strip()
 
     mailbox_ids = data.get("mailbox_ids")
diff --git a/app/models.py b/app/models.py
index 8186a7e1e..e5f64537e 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1659,7 +1659,7 @@ def pgp_enabled(self) -> bool:
         return False
 
     @staticmethod
-    def get_custom_domain(alias_address) -> Optional["CustomDomain"]:
+    def get_custom_domain(alias_address: str) -> Optional["CustomDomain"]:
         alias_domain = validate_email(
             alias_address, check_deliverability=False, allow_smtputf8=False
         ).domain