From 30b231225c85abd269c005153167e6827bfc7921 Mon Sep 17 00:00:00 2001
From: FineArchs <133759614+FineArchs@users.noreply.github.com>
Date: Sun, 24 Sep 2023 14:41:41 +0900
Subject: Mk:apiで外部サーバーとの接続を禁止 (#11883)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Mk:url(): no automatic token attaching when ep is url

* Limit requests to external servers by Mk:api

* remove unused import

* Update CHANGELOG.md

* Update packages/frontend/src/scripts/aiscript/api.ts

Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>

---------

Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
---
 packages/frontend/src/scripts/aiscript/api.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'packages/frontend/src/scripts/aiscript/api.ts')

diff --git a/packages/frontend/src/scripts/aiscript/api.ts b/packages/frontend/src/scripts/aiscript/api.ts
index 0bb9185936..9f60e52cea 100644
--- a/packages/frontend/src/scripts/aiscript/api.ts
+++ b/packages/frontend/src/scripts/aiscript/api.ts
@@ -34,12 +34,15 @@ export function createAiScriptEnv(opts) {
 			return confirm.canceled ? values.FALSE : values.TRUE;
 		}),
 		'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => {
+			utils.assertString(ep);
+			if (ep.value.includes('://')) throw new Error('invalid endpoint');
 			if (token) {
 				utils.assertString(token);
 				// バグがあればundefinedもあり得るため念のため
 				if (typeof token.value !== 'string') throw new Error('invalid token');
 			}
-			return os.api(ep.value, utils.valToJs(param), token ? token.value : (opts.token ?? null)).then(res => {
+			const actualToken: string|null = token?.value ?? opts.token ?? null;
+			return os.api(ep.value, utils.valToJs(param), actualToken).then(res => {
 				return utils.jsToVal(res);
 			}, err => {
 				return values.ERROR('request_failed', utils.jsToVal(err));
-- 
cgit v1.2.3-freya