aimedb: block all-zero access codes and idms

core/aimedb.py

@@ -176,6 +176,11 @@ class AimedbServlette():
 
     async def handle_lookup(self, data: bytes, resp_code: int) -> ADBBaseResponse:
         req = ADBLookupRequest(data)
+        if req.access_code == "00000000000000000000":
+            ret = ADBLookupResponse.from_req(req.head, -1)
+            ret.head.status = ADBStatus.BAN_SYS
+            return ret
+        
         user_id = await self.data.card.get_user_id_from_card(req.access_code)
         is_banned = await self.data.card.get_card_banned(req.access_code)
         is_locked = await self.data.card.get_card_locked(req.access_code)
@@ -201,6 +206,11 @@ class AimedbServlette():
 
     async def handle_lookup_ex(self, data: bytes, resp_code: int) -> ADBBaseResponse:
         req = ADBLookupRequest(data)
+        if req.access_code == "00000000000000000000":
+            ret = ADBLookupExResponse.from_req(req.head, -1)
+            ret.head.status = ADBStatus.BAN_SYS
+            return ret
+        
         user_id = await self.data.card.get_user_id_from_card(req.access_code)
 
         is_banned = await self.data.card.get_card_banned(req.access_code)
@@ -241,6 +251,11 @@ class AimedbServlette():
         """
         req = ADBFelicaLookupRequest(data)
         idm = req.idm.zfill(16)
+        if idm == "0000000000000000":
+            ret = ADBFelicaLookupResponse.from_req(req.head, "00000000000000000000")
+            ret.head.status = ADBStatus.BAN_SYS
+            return ret
+
         card = await self.data.card.get_card_by_idm(idm)
         if not card:
             ac = self.data.card.to_access_code(idm)
@@ -262,6 +277,13 @@ class AimedbServlette():
         because we don't implement felica_lookup properly.
         """
         req = ADBFelicaLookupRequest(data)
+        idm = req.idm.zfill(16)
+        
+        if idm == "0000000000000000":
+            ret = ADBFelicaLookupResponse.from_req(req.head, "00000000000000000000")
+            ret.head.status = ADBStatus.BAN_SYS
+            return ret
+        
         ac = self.data.card.to_access_code(req.idm)
         
         if self.config.server.allow_user_registration:
@@ -292,9 +314,15 @@ class AimedbServlette():
         return ADBFelicaLookupResponse.from_req(req.head, ac)
 
     async def handle_felica_lookup_ex(self, data: bytes, resp_code: int) -> bytes:
-        req = ADBFelicaLookup2Request(data)
+        req = ADBFelicaLookupExRequest(data)
         user_id = None
         idm = req.idm.zfill(16)
+        
+        if idm == "0000000000000000":
+            ret = ADBFelicaLookupExResponse.from_req(req.head, -1, "00000000000000000000")
+            ret.head.status = ADBStatus.BAN_SYS
+            return ret
+        
         card = await self.data.card.get_card_by_idm(idm)
         if not card:
             access_code = self.data.card.to_access_code(idm)
@@ -314,7 +342,7 @@ class AimedbServlette():
             f"idm {idm} ipm {req.pmm} -> access_code {access_code} user_id {user_id}"
         )
 
-        resp = ADBFelicaLookup2Response.from_req(req.head, user_id, access_code)
+        resp = ADBFelicaLookupExResponse.from_req(req.head, user_id, access_code)
         
         if user_id > 0:
             if card['is_banned'] and card['is_locked']:
@@ -347,6 +375,11 @@ class AimedbServlette():
     async def handle_register(self, data: bytes, resp_code: int) -> bytes:
         req = ADBLookupRequest(data)
         user_id = -1
+        
+        if req.access_code == "00000000000000000000":
+            ret = ADBLookupResponse.from_req(req.head, -1)
+            ret.head.status = ADBStatus.BAN_SYS
+            return ret
 
         if self.config.server.allow_user_registration:
             user_id = await self.data.user.create_user()