natty
/
calckey
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: 🔒 improve tag search security

This commit is contained in:
ThatOneCalculator 2023-02-04 12:38:46 -08:00
parent bb927f1668
commit 26570158fd
No known key found for this signature in database
GPG Key ID: 8703CACD01000000
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/backend/src/server/api/endpoints/notes/search-by-tag.ts
View File

@ -93,7 +93,7 @@ export default define(meta, paramDef, async (ps, me) => {
try {
if (ps.tag) {
if (!safeForSql(ps.tag)) throw new Error("Injection");
if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
} else {
query.andWhere(
@ -102,7 +102,7 @@ export default define(meta, paramDef, async (ps, me) => {
qb.orWhere(
new Brackets((qb) => {
for (const tag of tags) {
if (!safeForSql(tag)) throw new Error("Injection");
if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`);
}
}),