Fix search-by-tag (#7531)

* Fix search-by-tag * Revert "Fix search-by-tag" This reverts commit c971d1d5d82f2d8b58fdec76e42f4404339ab83a. * Fix typo * Remove unused var * インジェクションは[]を返すように
2021-05-23 18:57:12 +09:00 · 2021-05-23 18:57:12 +09:00 · 47aaf04481
commit 47aaf04481
parent 7063a6925f
1 changed files with 19 additions and 16 deletions
--- a/src/server/api/endpoints/notes/search-by-tag.ts
+++ b/src/server/api/endpoints/notes/search-by-tag.ts
@ -104,22 +104,25 @@ export default define(meta, async (ps, me) => {
 	generateVisibilityQuery(query, me);
 	if (me) generateMutedUserQuery(query, me);

-	if (ps.tag) {
-		if (!safeForSql(ps.tag)) return;
-		query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
-	} else {
-		let i = 0;
-		query.andWhere(new Brackets(qb => {
-			for (const tags of ps.query!) {
-				qb.orWhere(new Brackets(qb => {
-					for (const tag of tags) {
-						if (!safeForSql(tag)) return;
-						qb.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
-						i++;
-					}
-				}));
-			}
-		}));
+	try {
+		if (ps.tag) {
+			if (!safeForSql(ps.tag)) throw 'Injection';
+			query.andWhere(`'{"${normalizeForSearch(ps.tag)}"}' <@ note.tags`);
+		} else {
+			query.andWhere(new Brackets(qb => {
+				for (const tags of ps.query!) {
+					qb.orWhere(new Brackets(qb => {
+						for (const tag of tags) {
+							if (!safeForSql(tag)) throw 'Injection';
+							qb.andWhere(`'{"${normalizeForSearch(tag)}"}' <@ note.tags`);
+						}
+					}));
+				}
+			}));
+		}
+	} catch (e) {
+		if (e === 'Injection') return [];
+		throw e;
 	}

 	if (ps.reply != null) {