enhance(backend): プロフィールのリンク検証にtry-catchを追加 (#13882)
* enhance(backend): プロフィールのリンク検証にtry-catchを追加
* ✌️
This commit is contained in:
parent
1b81ca4563
commit
805a11aadb
1 changed files with 21 additions and 15 deletions
|
@ -498,26 +498,32 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
private async verifyLink(url: string, user: MiLocalUser) {
|
private async verifyLink(url: string, user: MiLocalUser) {
|
||||||
if (!safeForSql(url)) return;
|
if (!safeForSql(url)) return;
|
||||||
|
|
||||||
const html = await this.httpRequestService.getHtml(url);
|
try {
|
||||||
|
const html = await this.httpRequestService.getHtml(url);
|
||||||
|
|
||||||
const { window } = new JSDOM(html);
|
const { window } = new JSDOM(html);
|
||||||
const doc = window.document;
|
const doc = window.document;
|
||||||
|
|
||||||
const myLink = `${this.config.url}/@${user.username}`;
|
const myLink = `${this.config.url}/@${user.username}`;
|
||||||
|
|
||||||
const aEls = Array.from(doc.getElementsByTagName('a'));
|
const aEls = Array.from(doc.getElementsByTagName('a'));
|
||||||
const linkEls = Array.from(doc.getElementsByTagName('link'));
|
const linkEls = Array.from(doc.getElementsByTagName('link'));
|
||||||
|
|
||||||
const includesMyLink = aEls.some(a => a.href === myLink);
|
const includesMyLink = aEls.some(a => a.href === myLink);
|
||||||
const includesRelMeLinks = [...aEls, ...linkEls].some(link => link.rel === 'me' && link.href === myLink);
|
const includesRelMeLinks = [...aEls, ...linkEls].some(link => link.rel === 'me' && link.href === myLink);
|
||||||
|
|
||||||
if (includesMyLink || includesRelMeLinks) {
|
if (includesMyLink || includesRelMeLinks) {
|
||||||
await this.userProfilesRepository.createQueryBuilder('profile').update()
|
await this.userProfilesRepository.createQueryBuilder('profile').update()
|
||||||
.where('userId = :userId', { userId: user.id })
|
.where('userId = :userId', { userId: user.id })
|
||||||
.set({
|
.set({
|
||||||
verifiedLinks: () => `array_append("verifiedLinks", '${url}')`, // ここでSQLインジェクションされそうなのでとりあえず safeForSql で弾いている
|
verifiedLinks: () => `array_append("verifiedLinks", '${url}')`, // ここでSQLインジェクションされそうなのでとりあえず safeForSql で弾いている
|
||||||
})
|
})
|
||||||
.execute();
|
.execute();
|
||||||
|
}
|
||||||
|
|
||||||
|
window.close();
|
||||||
|
} catch (err) {
|
||||||
|
// なにもしない
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue