[API] Fix: Validate ids

author: syuilo <syuilotan@yahoo.co.jp> 2017-01-18 05:26:29 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2017-01-18 05:26:29 +0900
commit: 564aa706bc9b40176a48b94c42e08e470557446d (patch)
tree: 4a3c670b0f64f5a2f10d569f9fde3ab9b4715bc0 /src/api
parent: Update api.js (diff)
download: sharkey-564aa706bc9b40176a48b94c42e08e470557446d.tar.gz
sharkey-564aa706bc9b40176a48b94c42e08e470557446d.tar.bz2
sharkey-564aa706bc9b40176a48b94c42e08e470557446d.zip
2 files changed, 10 insertions, 0 deletions
diff --git a/src/api/endpoints/following/create.js b/src/api/endpoints/following/create.js
index 90a6da9838..4a796b11a4 100644
--- a/src/api/endpoints/following/create.js
+++ b/src/api/endpoints/following/create.js
@@ -28,6 +28,11 @@ module.exports = (params, user) =>
 		return rej('user_id is required');
 	}
 
+	// Validate id
+	if (!mongo.ObjectID.isValid(userId)) {
+		return rej('incorrect user_id');
+	}
+
 	// 自分自身
 	if (user._id.equals(userId)) {
 		return rej('followee is yourself');
diff --git a/src/api/endpoints/following/delete.js b/src/api/endpoints/following/delete.js
index 9bb1b082e9..2da20dea38 100644
--- a/src/api/endpoints/following/delete.js
+++ b/src/api/endpoints/following/delete.js
@@ -27,6 +27,11 @@ module.exports = (params, user) =>
 		return rej('user_id is required');
 	}
 
+	// Validate id
+	if (!mongo.ObjectID.isValid(userId)) {
+		return rej('incorrect user_id');
+	}
+
 	// Check if the followee is yourself
 	if (user._id.equals(userId)) {
 		return rej('followee is yourself');
author	syuilo <syuilotan@yahoo.co.jp>	2017-01-18 05:26:29 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2017-01-18 05:26:29 +0900
commit	564aa706bc9b40176a48b94c42e08e470557446d (patch)
tree	4a3c670b0f64f5a2f10d569f9fde3ab9b4715bc0 /src/api
parent	Update api.js (diff)
download	sharkey-564aa706bc9b40176a48b94c42e08e470557446d.tar.gz sharkey-564aa706bc9b40176a48b94c42e08e470557446d.tar.bz2 sharkey-564aa706bc9b40176a48b94c42e08e470557446d.zip