[API] Fix: Validate id

author: syuilo <syuilotan@yahoo.co.jp> 2017-01-21 07:33:46 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2017-01-21 07:33:46 +0900
commit: 1c9ec601407d1d8f5367155f8ae25bdcd73a313a (patch)
tree: 4f6e097151c43176444483fb5d6b440e7b8992bd /src/api/endpoints
parent: [API] Fix bug (diff)
download: sharkey-1c9ec601407d1d8f5367155f8ae25bdcd73a313a.tar.gz
sharkey-1c9ec601407d1d8f5367155f8ae25bdcd73a313a.tar.bz2
sharkey-1c9ec601407d1d8f5367155f8ae25bdcd73a313a.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/api/endpoints/posts/likes/delete.js b/src/api/endpoints/posts/likes/delete.js
index b5b7e5177c..e3dee23bf2 100644
--- a/src/api/endpoints/posts/likes/delete.js
+++ b/src/api/endpoints/posts/likes/delete.js
@@ -25,6 +25,11 @@ module.exports = (params, user) =>
 		return rej('post_id is required');
 	}
 
+	// Validate id
+	if (!mongo.ObjectID.isValid(postId)) {
+		return rej('incorrect post_id');
+	}
+
 	// Get likee
 	const post = await Post.findOne({
 		_id: new mongo.ObjectID(postId)
author	syuilo <syuilotan@yahoo.co.jp>	2017-01-21 07:33:46 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2017-01-21 07:33:46 +0900
commit	1c9ec601407d1d8f5367155f8ae25bdcd73a313a (patch)
tree	4f6e097151c43176444483fb5d6b440e7b8992bd /src/api/endpoints
parent	[API] Fix bug (diff)
download	sharkey-1c9ec601407d1d8f5367155f8ae25bdcd73a313a.tar.gz sharkey-1c9ec601407d1d8f5367155f8ae25bdcd73a313a.tar.bz2 sharkey-1c9ec601407d1d8f5367155f8ae25bdcd73a313a.zip