diff options
| author | piuvas <mail@piuvas.net> | 2025-04-20 12:34:00 -0300 |
|---|---|---|
| committer | piuvas <mail@piuvas.net> | 2025-04-20 12:34:00 -0300 |
| commit | 46fa99fc282dc57a4f60c37080cc8a32a89c5492 (patch) | |
| tree | cdf66423470809264460d6ed3fa60f8c4ce7a124 /packages/backend/src/server/api/endpoints | |
| parent | add merge guide for verifyLink. (diff) | |
| download | sharkey-46fa99fc282dc57a4f60c37080cc8a32a89c5492.tar.gz sharkey-46fa99fc282dc57a4f60c37080cc8a32a89c5492.tar.bz2 sharkey-46fa99fc282dc57a4f60c37080cc8a32a89c5492.zip | |
requested changes to verifyFieldLinks
Co-authored-by: dakkar <dakkar@thenautilus.net>
Diffstat (limited to 'packages/backend/src/server/api/endpoints')
| -rw-r--r-- | packages/backend/src/server/api/endpoints/i/update.ts | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts index b6675505e0..f8937a8919 100644 --- a/packages/backend/src/server/api/endpoints/i/update.ts +++ b/packages/backend/src/server/api/endpoints/i/update.ts @@ -31,7 +31,7 @@ import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.j import { HttpRequestService } from '@/core/HttpRequestService.js'; import type { Config } from '@/config.js'; import { safeForSql } from '@/misc/safe-for-sql.js'; -import { verifyFieldLink } from '@/misc/verify-field-link.js' +import { verifyFieldLinks } from '@/misc/verify-field-link.js'; import { AvatarDecorationService } from '@/core/AvatarDecorationService.js'; import { notificationRecieveConfig } from '@/models/json-schema/user.js'; import { userUnsignedFetchOptions } from '@/const.js'; @@ -585,9 +585,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- this.globalEventService.publishInternalEvent('localUserUpdated', { id: user.id }); } + const verified_links = await verifyFieldLinks(newFields, `${this.config.url}/@${user.username}`, this.httpRequestService); + await this.userProfilesRepository.update(user.id, { ...profileUpdates, - verifiedLinks: [], + verifiedLinks: verified_links, }); const iObj = await this.userEntityService.pack(user.id, user, { @@ -612,18 +614,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint- this.accountUpdateService.publishToFollowers(user.id); } - const urls = updatedProfile.fields.filter(x => x.value.startsWith('https://')); - for (const url of urls) { - // this is a different, broader implementation so we can support remote users. - const includesProfileLinks = await verifyFieldLink(url.value, `${this.config.url}/@${user.username}`, this.httpRequestService); - if (includesProfileLinks) { - await userProfilesRepository.createQueryBuilder('profile').update() - .where('userId = :userId', { userId: user.id }) - .set({ - verifiedLinks: () => `array_append("verifiedLinks", '${url}')`, // ここでSQLインジェクションされそうなのでとりあえず safeForSql で弾いている - }) - .execute(); - } + if (verified_links.length > 0) { + await userProfilesRepository.createQueryBuilder('profile').update() + .where('userId = :userId', { userId: user.id }) + .set({ + verifiedLinks: verified_links.filter(x => safeForSql(x)), // ここでSQLインジェクションされそうなのでとりあえず safeForSql で弾いている + }) + .execute(); } return iObj; |