From 234ff64b12855ebba432b68679f8fe5704955e52 Mon Sep 17 00:00:00 2001
From: ThatOneCalculator <kainoa@t1c.dev>
Date: Sun, 16 Jul 2023 19:49:15 -0700
Subject: [PATCH] fix validation

---
 .../src/server/api/endpoints/i/update.ts      | 54 ++++++++++++-------
 1 file changed, 34 insertions(+), 20 deletions(-)

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 553486983e..9106ff6f29 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -16,7 +16,6 @@ import { getRelMeLinks } from "@/services/fetch-rel-me.js";
 import { ApiError } from "../../error.js";
 import config from "@/config/index.js";
 import define from "../../define.js";
-import type * as misskey from "calckey-js";
 
 export const meta = {
 	tags: ["account"],
@@ -61,6 +60,18 @@ export const meta = {
 			code: "INVALID_REGEXP",
 			id: "0d786918-10df-41cd-8f33-8dec7d9a89a5",
 		},
+
+		invalidFieldName: {
+			message: "Invalid field name.",
+			code: "INVALID_FIELD_NAME",
+			id: "8f81972e-8b53-4d30-b0d2-efb026dda673",
+		},
+
+		invalidFieldValue: {
+			message: "Invalid field value.",
+			code: "INVALID_FIELD_VALUE",
+			id: "aede7444-244b-11ee-be56-0242ac120002",
+		},
 	},
 
 	res: {
@@ -248,25 +259,28 @@ export default define(meta, paramDef, async (ps, _user, token) => {
 	}
 
 	if (ps.fields) {
-		profileUpdates.fields = await Promise.all(
-			ps.fields
-				.filter(
-					(x: misskey.entities.UserDetailed.fields) =>
-						typeof x.name === "string" &&
-						x.name !== "" &&
-						typeof x.value === "string" &&
-						x.value !== "",
-				)
-				.map(async (x: misskey.entities.UserDetailed.fields) => {
-					return {
-						name: x.name,
-						value: x.value,
-						verified: x.value.startsWith("http")
-							? await verifyLink(x.value, user.username)
-							: null,
-					};
-				}),
-		);
+		for (const field of ps.fields) {
+			if (!field || field.name === "" || field.value === "") {
+				continue;
+			}
+			if (typeof field.name !== "string" || field.name === "") {
+				throw new ApiError(meta.errors.invalidFieldName);
+			}
+			if (typeof field.value !== "string" || field.value === "") {
+				throw new ApiError(meta.errors.invalidFieldValue);
+			}
+			if (field.value.startsWith("http")) {
+				field.verified = await verifyLink(field.value, user.username);
+			}
+		}
+
+		profileUpdates.fields = ps.fields.map((x) => {
+			return {
+				name: x.name,
+				value: x.value,
+				verified: x.verified,
+			};
+		});
 	}
 
 	//#region emojis/tags