From b74fd71d67d600b2acabfef34b6d9e05e9264463 Mon Sep 17 00:00:00 2001 From: dakkar Date: Sun, 22 Oct 2023 13:35:11 +0100 Subject: [PATCH 1/2] nicer file type search * the previous one could allow a SQL injection, since the `opts.filetype` value came straight from the browser * this more precise regex match will not produce spurious matches (which were very unlikely, true, but still, let's be precise) (`video/movingimages` would have matched `%image%`!) --- packages/backend/src/core/SearchService.ts | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/packages/backend/src/core/SearchService.ts b/packages/backend/src/core/SearchService.ts index 9dc53dafe..4fd1d72f2 100644 --- a/packages/backend/src/core/SearchService.ts +++ b/packages/backend/src/core/SearchService.ts @@ -220,7 +220,18 @@ export class SearchService { } if (opts.filetype) { - query.andWhere(`note."attachedFileTypes"::varchar LIKE '%${opts.filetype}%'`); + // this is very ugly, but the "correct" solution would + // be `and exists (select 1 from + // unnest(note."attachedFileTypes") x(t) where t like + // :type)` and I can't find a way to get TypeORM to + // generate that; this hack works because `~*` is + // "regexp match, ignoring case" and the stringified + // version of an array of varchars (which is what + // `attachedFileTypes` is) looks like `{foo,bar}`, so + // we're looking for opts.filetype as the first half + // of a MIME type, either at start of the array (after + // the `{`) or later (after a `,`) + query.andWhere(`note."attachedFileTypes"::varchar ~* :type`, { type: `[{,]${opts.filetype}/` }); } this.queryService.generateVisibilityQuery(query, me); From 1dc5623713915c2bf3dae93a3473d80e93f96be8 Mon Sep 17 00:00:00 2001 From: dakkar Date: Sun, 22 Oct 2023 13:43:19 +0100 Subject: [PATCH 2/2] use block comment --- packages/backend/src/core/SearchService.ts | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/packages/backend/src/core/SearchService.ts b/packages/backend/src/core/SearchService.ts index 4fd1d72f2..6103b0e0f 100644 --- a/packages/backend/src/core/SearchService.ts +++ b/packages/backend/src/core/SearchService.ts @@ -220,17 +220,17 @@ export class SearchService { } if (opts.filetype) { - // this is very ugly, but the "correct" solution would - // be `and exists (select 1 from - // unnest(note."attachedFileTypes") x(t) where t like - // :type)` and I can't find a way to get TypeORM to - // generate that; this hack works because `~*` is - // "regexp match, ignoring case" and the stringified - // version of an array of varchars (which is what - // `attachedFileTypes` is) looks like `{foo,bar}`, so - // we're looking for opts.filetype as the first half - // of a MIME type, either at start of the array (after - // the `{`) or later (after a `,`) + /* this is very ugly, but the "correct" solution would + be `and exists (select 1 from + unnest(note."attachedFileTypes") x(t) where t like + :type)` and I can't find a way to get TypeORM to + generate that; this hack works because `~*` is + "regexp match, ignoring case" and the stringified + version of an array of varchars (which is what + `attachedFileTypes` is) looks like `{foo,bar}`, so + we're looking for opts.filetype as the first half of + a MIME type, either at start of the array (after the + `{`) or later (after a `,`) */ query.andWhere(`note."attachedFileTypes"::varchar ~* :type`, { type: `[{,]${opts.filetype}/` }); }