diff options
| author | MeiMei <30769358+mei23@users.noreply.github.com> | 2023-01-08 20:32:17 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-08 20:32:17 +0900 |
| commit | 10e526ba5682fef9488d1d38ba5dfcda38619673 (patch) | |
| tree | 1677ade360e317be70200050cb67b0957f35ebca /packages/backend/src/server/api/endpoints/admin | |
| parent | fix following chart (diff) | |
| download | sharkey-10e526ba5682fef9488d1d38ba5dfcda38619673.tar.gz sharkey-10e526ba5682fef9488d1d38ba5dfcda38619673.tar.bz2 sharkey-10e526ba5682fef9488d1d38ba5dfcda38619673.zip | |
fix: Escape SQL LIKE (#9493)
* SQL LIKE escape
* CHANGELOG
Diffstat (limited to 'packages/backend/src/server/api/endpoints/admin')
3 files changed, 6 insertions, 3 deletions
diff --git a/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts b/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts index c03d27878c..ed60efd7b4 100644 --- a/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts +++ b/packages/backend/src/server/api/endpoints/admin/emoji/list-remote.ts @@ -5,6 +5,7 @@ import { QueryService } from '@/core/QueryService.js'; import { UtilityService } from '@/core/UtilityService.js'; import { EmojiEntityService } from '@/core/entities/EmojiEntityService.js'; import { DI } from '@/di-symbols.js'; +import { sqlLikeEscape } from '@/misc/sql-like-escape'; export const meta = { tags: ['admin'], @@ -92,7 +93,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { } if (ps.query) { - q.andWhere('emoji.name like :query', { query: '%' + ps.query + '%' }); + q.andWhere('emoji.name like :query', { query: '%' + sqlLikeEscape(ps.query) + '%' }); } const emojis = await q diff --git a/packages/backend/src/server/api/endpoints/admin/emoji/list.ts b/packages/backend/src/server/api/endpoints/admin/emoji/list.ts index 271b142126..f357e45a52 100644 --- a/packages/backend/src/server/api/endpoints/admin/emoji/list.ts +++ b/packages/backend/src/server/api/endpoints/admin/emoji/list.ts @@ -5,6 +5,7 @@ import type { Emoji } from '@/models/entities/Emoji.js'; import { QueryService } from '@/core/QueryService.js'; import { DI } from '@/di-symbols.js'; import { EmojiEntityService } from '@/core/entities/EmojiEntityService.js'; +//import { sqlLikeEscape } from '@/misc/sql-like-escape'; export const meta = { tags: ['admin'], @@ -82,7 +83,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { let emojis: Emoji[]; if (ps.query) { - //q.andWhere('emoji.name ILIKE :q', { q: `%${ps.query}%` }); + //q.andWhere('emoji.name ILIKE :q', { q: `%${ sqlLikeEscape(ps.query) }%` }); //const emojis = await q.take(ps.limit).getMany(); emojis = await q.getMany(); diff --git a/packages/backend/src/server/api/endpoints/admin/show-users.ts b/packages/backend/src/server/api/endpoints/admin/show-users.ts index 33e1be8041..722e284dde 100644 --- a/packages/backend/src/server/api/endpoints/admin/show-users.ts +++ b/packages/backend/src/server/api/endpoints/admin/show-users.ts @@ -3,6 +3,7 @@ import type { UsersRepository } from '@/models/index.js'; import { Endpoint } from '@/server/api/endpoint-base.js'; import { DI } from '@/di-symbols.js'; import { UserEntityService } from '@/core/entities/UserEntityService.js'; +import { sqlLikeEscape } from '@/misc/sql-like-escape'; export const meta = { tags: ['admin'], @@ -68,7 +69,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { } if (ps.username) { - query.andWhere('user.usernameLower like :username', { username: ps.username.toLowerCase() + '%' }); + query.andWhere('user.usernameLower like :username', { username: sqlLikeEscape(ps.username.toLowerCase()) + '%' }); } if (ps.hostname) { |