fix: 🔒 improve tag search security
This commit is contained in:
parent
bb927f1668
commit
26570158fd
|
@ -93,7 +93,7 @@ export default define(meta, paramDef, async (ps, me) => {
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (ps.tag) {
|
if (ps.tag) {
|
||||||
if (!safeForSql(ps.tag)) throw new Error("Injection");
|
if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
|
||||||
query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
|
query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
|
||||||
} else {
|
} else {
|
||||||
query.andWhere(
|
query.andWhere(
|
||||||
|
@ -102,7 +102,7 @@ export default define(meta, paramDef, async (ps, me) => {
|
||||||
qb.orWhere(
|
qb.orWhere(
|
||||||
new Brackets((qb) => {
|
new Brackets((qb) => {
|
||||||
for (const tag of tags) {
|
for (const tag of tags) {
|
||||||
if (!safeForSql(tag)) throw new Error("Injection");
|
if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
|
||||||
qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`);
|
qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`);
|
||||||
}
|
}
|
||||||
}),
|
}),
|
||||||
|
|
Loading…
Reference in New Issue