Return 404 for invalid Object ID (#3627)

* Update activitypub.ts

* Update activitypub.ts

* Update featured.ts

* Update followers.ts

* Update following.ts

* Update outbox.ts

* Fix following, outbox
This commit is contained in:
MeiMei 2018-12-16 01:44:59 +09:00 committed by syuilo
parent 603320eebc
commit 2d4fc788c0
5 changed files with 58 additions and 16 deletions

View File

@ -1,4 +1,4 @@
import * as mongo from 'mongodb'; import { ObjectID } from 'mongodb';
import * as Router from 'koa-router'; import * as Router from 'koa-router';
const json = require('koa-json-body'); const json = require('koa-json-body');
const httpSignature = require('http-signature'); const httpSignature = require('http-signature');
@ -64,8 +64,13 @@ router.post('/users/:user/inbox', json(), inbox);
router.get('/notes/:note', async (ctx, next) => { router.get('/notes/:note', async (ctx, next) => {
if (!isActivityPubReq(ctx)) return await next(); if (!isActivityPubReq(ctx)) return await next();
if (!ObjectID.isValid(ctx.params.note)) {
ctx.status = 404;
return;
}
const note = await Note.findOne({ const note = await Note.findOne({
_id: new mongo.ObjectID(ctx.params.note), _id: new ObjectID(ctx.params.note),
visibility: { $in: ['public', 'home'] }, visibility: { $in: ['public', 'home'] },
localOnly: { $ne: true } localOnly: { $ne: true }
}); });
@ -82,8 +87,13 @@ router.get('/notes/:note', async (ctx, next) => {
// note activity // note activity
router.get('/notes/:note/activity', async ctx => { router.get('/notes/:note/activity', async ctx => {
if (!ObjectID.isValid(ctx.params.note)) {
ctx.status = 404;
return;
}
const note = await Note.findOne({ const note = await Note.findOne({
_id: new mongo.ObjectID(ctx.params.note), _id: new ObjectID(ctx.params.note),
visibility: { $in: ['public', 'home'] }, visibility: { $in: ['public', 'home'] },
localOnly: { $ne: true } localOnly: { $ne: true }
}); });
@ -112,7 +122,12 @@ router.get('/users/:user/collections/featured', Featured);
// publickey // publickey
router.get('/users/:user/publickey', async ctx => { router.get('/users/:user/publickey', async ctx => {
const userId = new mongo.ObjectID(ctx.params.user); if (!ObjectID.isValid(ctx.params.user)) {
ctx.status = 404;
return;
}
const userId = new ObjectID(ctx.params.user);
const user = await User.findOne({ const user = await User.findOne({
_id: userId, _id: userId,
@ -146,7 +161,12 @@ async function userInfo(ctx: Router.IRouterContext, user: IUser) {
} }
router.get('/users/:user', async ctx => { router.get('/users/:user', async ctx => {
const userId = new mongo.ObjectID(ctx.params.user); if (!ObjectID.isValid(ctx.params.user)) {
ctx.status = 404;
return;
}
const userId = new ObjectID(ctx.params.user);
const user = await User.findOne({ const user = await User.findOne({
_id: userId, _id: userId,

View File

@ -1,4 +1,4 @@
import * as mongo from 'mongodb'; import { ObjectID } from 'mongodb';
import * as Router from 'koa-router'; import * as Router from 'koa-router';
import config from '../../config'; import config from '../../config';
import User from '../../models/user'; import User from '../../models/user';
@ -9,7 +9,12 @@ import Note from '../../models/note';
import renderNote from '../../remote/activitypub/renderer/note'; import renderNote from '../../remote/activitypub/renderer/note';
export default async (ctx: Router.IRouterContext) => { export default async (ctx: Router.IRouterContext) => {
const userId = new mongo.ObjectID(ctx.params.user); if (!ObjectID.isValid(ctx.params.user)) {
ctx.status = 404;
return;
}
const userId = new ObjectID(ctx.params.user);
// Verify user // Verify user
const user = await User.findOne({ const user = await User.findOne({
@ -24,7 +29,7 @@ export default async (ctx: Router.IRouterContext) => {
const pinnedNoteIds = user.pinnedNoteIds || []; const pinnedNoteIds = user.pinnedNoteIds || [];
const pinnedNotes = await Promise.all(pinnedNoteIds.map(id => Note.findOne({ _id: id }))); const pinnedNotes = await Promise.all(pinnedNoteIds.filter(ObjectID.isValid).map(id => Note.findOne({ _id: id })));
const renderedNotes = await Promise.all(pinnedNotes.map(note => renderNote(note))); const renderedNotes = await Promise.all(pinnedNotes.map(note => renderNote(note)));

View File

@ -1,4 +1,4 @@
import * as mongo from 'mongodb'; import { ObjectID } from 'mongodb';
import * as Router from 'koa-router'; import * as Router from 'koa-router';
import config from '../../config'; import config from '../../config';
import $ from 'cafy'; import ID, { transform } from '../../misc/cafy-id'; import $ from 'cafy'; import ID, { transform } from '../../misc/cafy-id';
@ -11,7 +11,12 @@ import renderFollowUser from '../../remote/activitypub/renderer/follow-user';
import { setResponseType } from '../activitypub'; import { setResponseType } from '../activitypub';
export default async (ctx: Router.IRouterContext) => { export default async (ctx: Router.IRouterContext) => {
const userId = new mongo.ObjectID(ctx.params.user); if (!ObjectID.isValid(ctx.params.user)) {
ctx.status = 404;
return;
}
const userId = new ObjectID(ctx.params.user);
// Get 'cursor' parameter // Get 'cursor' parameter
const [cursor = null, cursorErr] = $.type(ID).optional.get(ctx.request.query.cursor); const [cursor = null, cursorErr] = $.type(ID).optional.get(ctx.request.query.cursor);

View File

@ -1,7 +1,8 @@
import * as mongo from 'mongodb'; import { ObjectID } from 'mongodb';
import * as Router from 'koa-router'; import * as Router from 'koa-router';
import config from '../../config'; import config from '../../config';
import $ from 'cafy'; import ID, { transform } from '../../misc/cafy-id'; import $ from 'cafy';
import ID, { transform } from '../../misc/cafy-id';
import User from '../../models/user'; import User from '../../models/user';
import Following from '../../models/following'; import Following from '../../models/following';
import pack from '../../remote/activitypub/renderer'; import pack from '../../remote/activitypub/renderer';
@ -11,7 +12,12 @@ import renderFollowUser from '../../remote/activitypub/renderer/follow-user';
import { setResponseType } from '../activitypub'; import { setResponseType } from '../activitypub';
export default async (ctx: Router.IRouterContext) => { export default async (ctx: Router.IRouterContext) => {
const userId = new mongo.ObjectID(ctx.params.user); if (!ObjectID.isValid(ctx.params.user)) {
ctx.status = 404;
return;
}
const userId = new ObjectID(ctx.params.user);
// Get 'cursor' parameter // Get 'cursor' parameter
const [cursor = null, cursorErr] = $.type(ID).optional.get(ctx.request.query.cursor); const [cursor = null, cursorErr] = $.type(ID).optional.get(ctx.request.query.cursor);

View File

@ -1,7 +1,8 @@
import * as mongo from 'mongodb'; import { ObjectID } from 'mongodb';
import * as Router from 'koa-router'; import * as Router from 'koa-router';
import config from '../../config'; import config from '../../config';
import $ from 'cafy'; import ID, { transform } from '../../misc/cafy-id'; import $ from 'cafy';
import ID, { transform } from '../../misc/cafy-id';
import User from '../../models/user'; import User from '../../models/user';
import pack from '../../remote/activitypub/renderer'; import pack from '../../remote/activitypub/renderer';
import renderOrderedCollection from '../../remote/activitypub/renderer/ordered-collection'; import renderOrderedCollection from '../../remote/activitypub/renderer/ordered-collection';
@ -15,7 +16,12 @@ import renderAnnounce from '../../remote/activitypub/renderer/announce';
import { countIf } from '../../prelude/array'; import { countIf } from '../../prelude/array';
export default async (ctx: Router.IRouterContext) => { export default async (ctx: Router.IRouterContext) => {
const userId = new mongo.ObjectID(ctx.params.user); if (!ObjectID.isValid(ctx.params.user)) {
ctx.status = 404;
return;
}
const userId = new ObjectID(ctx.params.user);
// Get 'sinceId' parameter // Get 'sinceId' parameter
const [sinceId, sinceIdErr] = $.type(ID).optional.get(ctx.request.query.since_id); const [sinceId, sinceIdErr] = $.type(ID).optional.get(ctx.request.query.since_id);