[API] Fix: Validate id

author: syuilo <syuilotan@yahoo.co.jp> 2017-01-18 06:32:50 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2017-01-18 06:32:50 +0900
commit: 2f596948f3e0f7bf48246da4f60656716d311034 (patch)
tree: 0239f34f9d604a7db734046c9bd724386e8bcc9a /src/api/endpoints/users
parent: [API] Fix bugs (diff)
download: sharkey-2f596948f3e0f7bf48246da4f60656716d311034.tar.gz
sharkey-2f596948f3e0f7bf48246da4f60656716d311034.tar.bz2
sharkey-2f596948f3e0f7bf48246da4f60656716d311034.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/api/endpoints/users/show.js b/src/api/endpoints/users/show.js
index af475c6cb9..43d6e700a5 100644
--- a/src/api/endpoints/users/show.js
+++ b/src/api/endpoints/users/show.js
@@ -33,6 +33,11 @@ module.exports = (params, me) =>
 		return rej('user_id or username is required');
 	}
 
+	// Validate id
+	if (userId && !mongo.ObjectID.isValid(userId)) {
+		return rej('incorrect user_id');
+	}
+
 	// Lookup user
 	const user = userId !== null
 		? await User.findOne({ _id: new mongo.ObjectID(userId) })
author	syuilo <syuilotan@yahoo.co.jp>	2017-01-18 06:32:50 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2017-01-18 06:32:50 +0900
commit	2f596948f3e0f7bf48246da4f60656716d311034 (patch)
tree	0239f34f9d604a7db734046c9bd724386e8bcc9a /src/api/endpoints/users
parent	[API] Fix bugs (diff)
download	sharkey-2f596948f3e0f7bf48246da4f60656716d311034.tar.gz sharkey-2f596948f3e0f7bf48246da4f60656716d311034.tar.bz2 sharkey-2f596948f3e0f7bf48246da4f60656716d311034.zip