fix(server): improve security

This commit is contained in:
syuilo 2023-02-04 18:21:07 +09:00
parent a12f07c42b
commit ee74df6823

View File

@ -95,14 +95,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
try { try {
if (ps.tag) { if (ps.tag) {
if (!safeForSql(ps.tag)) throw 'Injection'; if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`); query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
} else { } else {
query.andWhere(new Brackets(qb => { query.andWhere(new Brackets(qb => {
for (const tags of ps.query!) { for (const tags of ps.query!) {
qb.orWhere(new Brackets(qb => { qb.orWhere(new Brackets(qb => {
for (const tag of tags) { for (const tag of tags) {
if (!safeForSql(tag)) throw 'Injection'; if (!safeForSql(normalizeForSearch(tag))) throw 'Injection';
qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`); qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`);
} }
})); }));