diff options
| author | syuilo <syuilotan@yahoo.co.jp> | 2017-02-12 06:01:31 +0900 |
|---|---|---|
| committer | syuilo <syuilotan@yahoo.co.jp> | 2017-02-12 06:01:31 +0900 |
| commit | 40f05f4ea5b5ffa083cff1bbb1832a472544a8ae (patch) | |
| tree | 660c181e6aa4abac2082b5da90e97f6a711feb4d | |
| parent | [Test] Fix some tests (diff) | |
| download | sharkey-40f05f4ea5b5ffa083cff1bbb1832a472544a8ae.tar.gz sharkey-40f05f4ea5b5ffa083cff1bbb1832a472544a8ae.tar.bz2 sharkey-40f05f4ea5b5ffa083cff1bbb1832a472544a8ae.zip | |
[API] Fix: Validate file_id
| -rw-r--r-- | src/api/endpoints/drive/files/update.js | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/api/endpoints/drive/files/update.js b/src/api/endpoints/drive/files/update.js index 3ec9e5a73d..612d380955 100644 --- a/src/api/endpoints/drive/files/update.js +++ b/src/api/endpoints/drive/files/update.js @@ -26,6 +26,11 @@ module.exports = (params, user) => return rej('file_id is required'); } + // Validate id + if (!mongo.ObjectID.isValid(fileId)) { + return rej('incorrect file_id'); + } + const file = await DriveFile .findOne({ _id: new mongo.ObjectID(fileId), |