mirror of
https://git.joinsharkey.org/Sharkey/Sharkey.git
synced 2024-11-26 23:03:09 +02:00
nicer file type search
* the previous one could allow a SQL injection, since the `opts.filetype` value came straight from the browser * this more precise regex match will not produce spurious matches (which were very unlikely, true, but still, let's be precise) (`video/movingimages` would have matched `%image%`!)
This commit is contained in:
parent
6b3b805a3e
commit
b74fd71d67
1 changed files with 12 additions and 1 deletions
|
@ -220,7 +220,18 @@ export class SearchService {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (opts.filetype) {
|
if (opts.filetype) {
|
||||||
query.andWhere(`note."attachedFileTypes"::varchar LIKE '%${opts.filetype}%'`);
|
// this is very ugly, but the "correct" solution would
|
||||||
|
// be `and exists (select 1 from
|
||||||
|
// unnest(note."attachedFileTypes") x(t) where t like
|
||||||
|
// :type)` and I can't find a way to get TypeORM to
|
||||||
|
// generate that; this hack works because `~*` is
|
||||||
|
// "regexp match, ignoring case" and the stringified
|
||||||
|
// version of an array of varchars (which is what
|
||||||
|
// `attachedFileTypes` is) looks like `{foo,bar}`, so
|
||||||
|
// we're looking for opts.filetype as the first half
|
||||||
|
// of a MIME type, either at start of the array (after
|
||||||
|
// the `{`) or later (after a `,`)
|
||||||
|
query.andWhere(`note."attachedFileTypes"::varchar ~* :type`, { type: `[{,]${opts.filetype}/` });
|
||||||
}
|
}
|
||||||
|
|
||||||
this.queryService.generateVisibilityQuery(query, me);
|
this.queryService.generateVisibilityQuery(query, me);
|
||||||
|
|
Loading…
Reference in a new issue