fix: 🔒 improve tag search security

This commit is contained in:
ThatOneCalculator 2023-02-04 12:38:46 -08:00
parent bb927f1668
commit 26570158fd
No known key found for this signature in database
GPG key ID: 8703CACD01000000

View file

@ -93,7 +93,7 @@ export default define(meta, paramDef, async (ps, me) => {
try {
if (ps.tag) {
if (!safeForSql(ps.tag)) throw new Error("Injection");
if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
} else {
query.andWhere(
@ -102,7 +102,7 @@ export default define(meta, paramDef, async (ps, me) => {
qb.orWhere(
new Brackets((qb) => {
for (const tag of tags) {
if (!safeForSql(tag)) throw new Error("Injection");
if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`);
}
}),