[API] Fix: Validate id

author: syuilo <syuilotan@yahoo.co.jp> 2017-01-20 17:51:31 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2017-01-20 17:51:31 +0900
commit: 2cc2ecb13c9d92f8c27d7fab335393c2112a6a57 (patch)
tree: b365a161a8833fc91f6b77a5b94c3bb1dbe09e45 /src/api/endpoints/posts
parent: [API] Fix bugs (diff)
download: sharkey-2cc2ecb13c9d92f8c27d7fab335393c2112a6a57.tar.gz
sharkey-2cc2ecb13c9d92f8c27d7fab335393c2112a6a57.tar.bz2
sharkey-2cc2ecb13c9d92f8c27d7fab335393c2112a6a57.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/api/endpoints/posts/likes/create.js b/src/api/endpoints/posts/likes/create.js
index d148c99d41..8963b482bf 100644
--- a/src/api/endpoints/posts/likes/create.js
+++ b/src/api/endpoints/posts/likes/create.js
@@ -28,6 +28,11 @@ module.exports = (params, user) =>
 		return rej('post_id is required');
 	}
 
+	// Validate id
+	if (!mongo.ObjectID.isValid(postId)) {
+		return rej('incorrect post_id');
+	}
+
 	// Get likee
 	const post = await Post.findOne({
 		_id: new mongo.ObjectID(postId)
author	syuilo <syuilotan@yahoo.co.jp>	2017-01-20 17:51:31 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2017-01-20 17:51:31 +0900
commit	2cc2ecb13c9d92f8c27d7fab335393c2112a6a57 (patch)
tree	b365a161a8833fc91f6b77a5b94c3bb1dbe09e45 /src/api/endpoints/posts
parent	[API] Fix bugs (diff)
download	sharkey-2cc2ecb13c9d92f8c27d7fab335393c2112a6a57.tar.gz sharkey-2cc2ecb13c9d92f8c27d7fab335393c2112a6a57.tar.bz2 sharkey-2cc2ecb13c9d92f8c27d7fab335393c2112a6a57.zip