summaryrefslogtreecommitdiff
path: root/src/api/endpoints/posts
diff options
context:
space:
mode:
Diffstat (limited to 'src/api/endpoints/posts')
-rw-r--r--src/api/endpoints/posts/create.js16
1 files changed, 16 insertions, 0 deletions
diff --git a/src/api/endpoints/posts/create.js b/src/api/endpoints/posts/create.js
index c3291bc725..3a527023c1 100644
--- a/src/api/endpoints/posts/create.js
+++ b/src/api/endpoints/posts/create.js
@@ -68,6 +68,11 @@ module.exports = (params, user, app) =>
for (let i = 0; i < media.length; i++) {
const image = media[i];
+ // Validate id
+ if (!mongo.ObjectID.isValid(image)) {
+ return rej('incorrect media id');
+ }
+
// Fetch file
// SELECT _id
const entity = await DriveFile.findOne({
@@ -90,6 +95,11 @@ module.exports = (params, user, app) =>
// Get 'repost_id' parameter
let repost = params.repost_id;
if (repost !== undefined && repost !== null) {
+ // Validate id
+ if (!mongo.ObjectID.isValid(repost)) {
+ return rej('incorrect repost_id');
+ }
+
// Fetch repost to post
repost = await Post.findOne({
_id: new mongo.ObjectID(repost)
@@ -131,6 +141,12 @@ module.exports = (params, user, app) =>
// Get 'reply_to_id' parameter
let replyTo = params.reply_to_id;
if (replyTo !== undefined && replyTo !== null) {
+ // Validate id
+ if (!mongo.ObjectID.isValid(replyTo)) {
+ return rej('incorrect reply_to_id');
+ }
+
+ // Fetch reply
replyTo = await Post.findOne({
_id: new mongo.ObjectID(replyTo)
});
generated by cgit v1.2.3-freya (git 2.53.0.84.g453e7b744a) at 2026-03-04 20:58:26 +0000