From ee74df68233adcd5b167258c621565f97c3b2306 Mon Sep 17 00:00:00 2001 From: syuilo Date: Sat, 4 Feb 2023 18:21:07 +0900 Subject: [PATCH] fix(server): improve security --- .../backend/src/server/api/endpoints/notes/search-by-tag.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts b/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts index 061e371d6..bcd793ac4 100644 --- a/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts +++ b/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts @@ -95,14 +95,14 @@ export default class extends Endpoint { try { if (ps.tag) { - if (!safeForSql(ps.tag)) throw 'Injection'; + if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection'; query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`); } else { query.andWhere(new Brackets(qb => { for (const tags of ps.query!) { qb.orWhere(new Brackets(qb => { for (const tag of tags) { - if (!safeForSql(tag)) throw 'Injection'; + if (!safeForSql(normalizeForSearch(tag))) throw 'Injection'; qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`); } }));