mirror of
https://git.joinsharkey.org/Sharkey/Sharkey.git
synced 2024-11-10 08:03:08 +02:00
nicer file type search
* the previous one could allow a SQL injection, since the `opts.filetype` value came straight from the browser * this more precise regex match will not produce spurious matches (which were very unlikely, true, but still, let's be precise) (`video/movingimages` would have matched `%image%`!)
This commit is contained in:
parent
6b3b805a3e
commit
b74fd71d67
1 changed files with 12 additions and 1 deletions
|
@ -220,7 +220,18 @@ export class SearchService {
|
|||
}
|
||||
|
||||
if (opts.filetype) {
|
||||
query.andWhere(`note."attachedFileTypes"::varchar LIKE '%${opts.filetype}%'`);
|
||||
// this is very ugly, but the "correct" solution would
|
||||
// be `and exists (select 1 from
|
||||
// unnest(note."attachedFileTypes") x(t) where t like
|
||||
// :type)` and I can't find a way to get TypeORM to
|
||||
// generate that; this hack works because `~*` is
|
||||
// "regexp match, ignoring case" and the stringified
|
||||
// version of an array of varchars (which is what
|
||||
// `attachedFileTypes` is) looks like `{foo,bar}`, so
|
||||
// we're looking for opts.filetype as the first half
|
||||
// of a MIME type, either at start of the array (after
|
||||
// the `{`) or later (after a `,`)
|
||||
query.andWhere(`note."attachedFileTypes"::varchar ~* :type`, { type: `[{,]${opts.filetype}/` });
|
||||
}
|
||||
|
||||
this.queryService.generateVisibilityQuery(query, me);
|
||||
|
|
Loading…
Reference in a new issue