From 26570158fd6720e66e1631822445d00959406066 Mon Sep 17 00:00:00 2001 From: ThatOneCalculator Date: Sat, 4 Feb 2023 12:38:46 -0800 Subject: [PATCH] fix: :lock: improve tag search security --- .../backend/src/server/api/endpoints/notes/search-by-tag.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts b/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts index 8cf9ce8fb0..8993237421 100644 --- a/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts +++ b/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts @@ -93,7 +93,7 @@ export default define(meta, paramDef, async (ps, me) => { try { if (ps.tag) { - if (!safeForSql(ps.tag)) throw new Error("Injection"); + if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection'; query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`); } else { query.andWhere( @@ -102,7 +102,7 @@ export default define(meta, paramDef, async (ps, me) => { qb.orWhere( new Brackets((qb) => { for (const tag of tags) { - if (!safeForSql(tag)) throw new Error("Injection"); + if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection'; qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`); } }),