From 9df2fc8d7b10a284a6702b1a28aa6153f5b79540 Mon Sep 17 00:00:00 2001
From: fiatjaf <fiatjaf@gmail.com>
Date: Thu, 28 Nov 2024 21:29:47 -0300
Subject: [PATCH] hints: prevent malicious timestamp hints to bork
 calculations.

---
 sdk/hints/memory/db.go |  4 ++++
 sdk/hints/sqlite/db.go | 10 +++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/sdk/hints/memory/db.go b/sdk/hints/memory/db.go
index 5ef22eb..7738ee9 100644
--- a/sdk/hints/memory/db.go
+++ b/sdk/hints/memory/db.go
@@ -27,6 +27,10 @@ func NewHintDB() *HintDB {
 }
 
 func (db *HintDB) Save(pubkey string, relay string, key hints.HintKey, ts nostr.Timestamp) {
+	if now := nostr.Now(); ts > now {
+		ts = now
+	}
+
 	relayIndex := slices.Index(db.RelayBySerial, relay)
 	if relayIndex == -1 {
 		relayIndex = len(db.RelayBySerial)
diff --git a/sdk/hints/sqlite/db.go b/sdk/hints/sqlite/db.go
index 8774607..b8c76bb 100644
--- a/sdk/hints/sqlite/db.go
+++ b/sdk/hints/sqlite/db.go
@@ -87,11 +87,15 @@ func (sh SQLiteHints) TopN(pubkey string, n int) []string {
 	return res
 }
 
-func (sh SQLiteHints) Save(pubkey string, relay string, key hints.HintKey, score nostr.Timestamp) {
-	_, err := sh.saves[key].Exec(pubkey, relay, score, score)
+func (sh SQLiteHints) Save(pubkey string, relay string, key hints.HintKey, ts nostr.Timestamp) {
+	if now := nostr.Now(); ts > now {
+		ts = now
+	}
+
+	_, err := sh.saves[key].Exec(pubkey, relay, ts, ts)
 	if err != nil {
 		nostr.InfoLogger.Printf("[sdk/hints/sqlite] unexpected error on insert for %s, %s, %d: %s\n",
-			pubkey, relay, score, err)
+			pubkey, relay, ts, err)
 	}
 }