fix: Escape SQL LIKE (#9493)

* SQL LIKE escape * CHANGELOG
author: MeiMei <30769358+mei23@users.noreply.github.com> 2023-01-08 20:32:17 +0900
committer: GitHub <noreply@github.com> 2023-01-08 20:32:17 +0900
commit: 10e526ba5682fef9488d1d38ba5dfcda38619673 (patch)
tree: 1677ade360e317be70200050cb67b0957f35ebca /packages/backend/src/server/api/endpoints/admin/emoji
parent: fix following chart (diff)
download: misskey-10e526ba5682fef9488d1d38ba5dfcda38619673.tar.gz
misskey-10e526ba5682fef9488d1d38ba5dfcda38619673.tar.bz2
misskey-10e526ba5682fef9488d1d38ba5dfcda38619673.zip
2 files changed, 4 insertions, 2 deletions
diff --git a/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts b/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts
index c03d27878c..ed60efd7b4 100644
--- a/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts
+++ b/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts
@@ -5,6 +5,7 @@ import { QueryService } from '@/core/QueryService.js';
 import { UtilityService } from '@/core/UtilityService.js';
 import { EmojiEntityService } from '@/core/entities/EmojiEntityService.js';
 import { DI } from '@/di-symbols.js';
+import { sqlLikeEscape } from '@/misc/sql-like-escape';
 
 export const meta = {
 	tags: ['admin'],
@@ -92,7 +93,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			}
 
 			if (ps.query) {
-				q.andWhere('emoji.name like :query', { query: '%' + ps.query + '%' });
+				q.andWhere('emoji.name like :query', { query: '%' + sqlLikeEscape(ps.query) + '%' });
 			}
 
 			const emojis = await q
diff --git a/packages/backend/src/server/api/endpoints/admin/emoji/list.ts b/packages/backend/src/server/api/endpoints/admin/emoji/list.ts
index 271b142126..f357e45a52 100644
--- a/packages/backend/src/server/api/endpoints/admin/emoji/list.ts
+++ b/packages/backend/src/server/api/endpoints/admin/emoji/list.ts
@@ -5,6 +5,7 @@ import type { Emoji } from '@/models/entities/Emoji.js';
 import { QueryService } from '@/core/QueryService.js';
 import { DI } from '@/di-symbols.js';
 import { EmojiEntityService } from '@/core/entities/EmojiEntityService.js';
+//import { sqlLikeEscape } from '@/misc/sql-like-escape';
 
 export const meta = {
 	tags: ['admin'],
@@ -82,7 +83,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			let emojis: Emoji[];
 
 			if (ps.query) {
-				//q.andWhere('emoji.name ILIKE :q', { q: `%${ps.query}%` });
+				//q.andWhere('emoji.name ILIKE :q', { q: `%${ sqlLikeEscape(ps.query) }%` });
 				//const emojis = await q.take(ps.limit).getMany();
 
 				emojis = await q.getMany();
author	MeiMei <30769358+mei23@users.noreply.github.com>	2023-01-08 20:32:17 +0900
committer	GitHub <noreply@github.com>	2023-01-08 20:32:17 +0900
commit	10e526ba5682fef9488d1d38ba5dfcda38619673 (patch)
tree	1677ade360e317be70200050cb67b0957f35ebca /packages/backend/src/server/api/endpoints/admin/emoji
parent	fix following chart (diff)
download	misskey-10e526ba5682fef9488d1d38ba5dfcda38619673.tar.gz misskey-10e526ba5682fef9488d1d38ba5dfcda38619673.tar.bz2 misskey-10e526ba5682fef9488d1d38ba5dfcda38619673.zip