This commit is contained in:
syuilo 2020-02-20 07:18:40 +09:00
parent 177e19632a
commit 09175b84df
1 changed files with 4 additions and 2 deletions

View File

@ -6,6 +6,7 @@ import { Notes } from '../../../../models';
import { generateMuteQuery } from '../../common/generate-mute-query'; import { generateMuteQuery } from '../../common/generate-mute-query';
import { generateVisibilityQuery } from '../../common/generate-visibility-query'; import { generateVisibilityQuery } from '../../common/generate-visibility-query';
import { Brackets } from 'typeorm'; import { Brackets } from 'typeorm';
import { safeForSql } from '../../../../misc/safe-for-sql';
export const meta = { export const meta = {
desc: { desc: {
@ -99,7 +100,7 @@ export default define(meta, async (ps, me) => {
if (me) generateMuteQuery(query, me); if (me) generateMuteQuery(query, me);
if (ps.tag) { if (ps.tag) {
if (/[\0\x08\x09\x1a\n\r"'\\\%]/g.test(ps.tag)) return; if (!safeForSql(ps.tag)) return;
query.andWhere(`'{"${ps.tag.toLowerCase()}"}' <@ note.tags`); query.andWhere(`'{"${ps.tag.toLowerCase()}"}' <@ note.tags`);
} else { } else {
let i = 0; let i = 0;
@ -107,7 +108,8 @@ export default define(meta, async (ps, me) => {
for (const tags of ps.query!) { for (const tags of ps.query!) {
qb.orWhere(new Brackets(qb => { qb.orWhere(new Brackets(qb => {
for (const tag of tags) { for (const tag of tags) {
qb.andWhere(`:tag${i} = ANY(note.tags)`, { [`tag${i}`]: tag.toLowerCase() }); if (!safeForSql(tag)) return;
qb.andWhere(`'{"${tag.toLowerCase()}"}' <@ note.tags`);
i++; i++;
} }
})); }));