[API] Fix: Validate ids

564aa706 · syuilo · 2a6ac7e3 · 564aa706 · 564aa706
Commit 564aa706 authored 8 years ago by syuilo
--- a/src/api/endpoints/following/create.js
+++ b/src/api/endpoints/following/create.js
@@ -28,6 +28,11 @@ module.exports = (params, user) =>
 		return rej('user_id is required');
 	}

+	// Validate id
+	if (!mongo.ObjectID.isValid(userId)) {
+		return rej('incorrect user_id');
+	}
+
 	// 自分自身
 	if (user._id.equals(userId)) {
 		return rej('followee is yourself');

--- a/src/api/endpoints/following/delete.js
+++ b/src/api/endpoints/following/delete.js
@@ -27,6 +27,11 @@ module.exports = (params, user) =>
 		return rej('user_id is required');
 	}

+	// Validate id
+	if (!mongo.ObjectID.isValid(userId)) {
+		return rej('incorrect user_id');
+	}
+
 	// Check if the followee is yourself
 	if (user._id.equals(userId)) {
 		return rej('followee is yourself');