monkee.ch/monkeeShark
1
0
Fork 0
Code Pull requests Activity

[API] Fix: Validate ids

Browse source
This commit is contained in:
syuilo 2017-01-18 05:39:50 +09:00
parent 8b95a1ef5d
commit 23e100691c
1 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/api/endpoints/posts/create.js
View file

@ -68,6 +68,11 @@ module.exports = (params, user, app) =>
for (let i = 0; i < media.length; i++) { for (let i = 0; i < media.length; i++) {
const image = media[i]; const image = media[i];
// Validate id
if (!mongo.ObjectID.isValid(image)) {
return rej('incorrect media id');
}
// Fetch file // Fetch file
// SELECT _id // SELECT _id
const entity = await DriveFile.findOne({ const entity = await DriveFile.findOne({
@ -90,6 +95,11 @@ module.exports = (params, user, app) =>
// Get 'repost_id' parameter // Get 'repost_id' parameter
let repost = params.repost_id; let repost = params.repost_id;
if (repost !== undefined && repost !== null) { if (repost !== undefined && repost !== null) {
// Validate id
if (!mongo.ObjectID.isValid(repost)) {
return rej('incorrect repost_id');
}
// Fetch repost to post // Fetch repost to post
repost = await Post.findOne({ repost = await Post.findOne({
_id: new mongo.ObjectID(repost) _id: new mongo.ObjectID(repost)
@ -131,6 +141,12 @@ module.exports = (params, user, app) =>
// Get 'reply_to_id' parameter // Get 'reply_to_id' parameter
let replyTo = params.reply_to_id; let replyTo = params.reply_to_id;
if (replyTo !== undefined && replyTo !== null) { if (replyTo !== undefined && replyTo !== null) {
// Validate id
if (!mongo.ObjectID.isValid(replyTo)) {
return rej('incorrect reply_to_id');
}
// Fetch reply
replyTo = await Post.findOne({ replyTo = await Post.findOne({
_id: new mongo.ObjectID(replyTo) _id: new mongo.ObjectID(replyTo)
}); });