fix(server): improve security

author: syuilo <Syuilotan@yahoo.co.jp> 2023-02-04 18:21:07 +0900
committer: syuilo <Syuilotan@yahoo.co.jp> 2023-02-04 18:21:07 +0900
commit: ee74df68233adcd5b167258c621565f97c3b2306 (patch)
tree: 0bba5031ba99bf34485d8e9067be82e701da20c7 /packages/backend/src/server/api/endpoints
parent: 13.3.2 (diff)
download: sharkey-ee74df68233adcd5b167258c621565f97c3b2306.tar.gz
sharkey-ee74df68233adcd5b167258c621565f97c3b2306.tar.bz2
sharkey-ee74df68233adcd5b167258c621565f97c3b2306.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts b/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts
index 061e371d65..bcd793ac43 100644
--- a/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts
+++ b/packages/backend/src/server/api/endpoints/notes/search-by-tag.ts
@@ -95,14 +95,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 
 			try {
 				if (ps.tag) {
-					if (!safeForSql(ps.tag)) throw 'Injection';
+					if (!safeForSql(normalizeForSearch(ps.tag))) throw 'Injection';
 					query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
 				} else {
 					query.andWhere(new Brackets(qb => {
 						for (const tags of ps.query!) {
 							qb.orWhere(new Brackets(qb => {
 								for (const tag of tags) {
-									if (!safeForSql(tag)) throw 'Injection';
+									if (!safeForSql(normalizeForSearch(tag))) throw 'Injection';
 									qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`);
 								}
 							}));
author	syuilo <Syuilotan@yahoo.co.jp>	2023-02-04 18:21:07 +0900
committer	syuilo <Syuilotan@yahoo.co.jp>	2023-02-04 18:21:07 +0900
commit	ee74df68233adcd5b167258c621565f97c3b2306 (patch)
tree	0bba5031ba99bf34485d8e9067be82e701da20c7 /packages/backend/src/server/api/endpoints
parent	13.3.2 (diff)
download	sharkey-ee74df68233adcd5b167258c621565f97c3b2306.tar.gz sharkey-ee74df68233adcd5b167258c621565f97c3b2306.tar.bz2 sharkey-ee74df68233adcd5b167258c621565f97c3b2306.zip