From 23e100691cbf16e94efdb7cb258e851daf3971aa Mon Sep 17 00:00:00 2001
From: syuilo <syuilotan@yahoo.co.jp>
Date: Wed, 18 Jan 2017 05:39:50 +0900
Subject: [PATCH] [API] Fix: Validate ids

---
 src/api/endpoints/posts/create.js | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/api/endpoints/posts/create.js b/src/api/endpoints/posts/create.js
index c3291bc72..3a527023c 100644
--- a/src/api/endpoints/posts/create.js
+++ b/src/api/endpoints/posts/create.js
@@ -68,6 +68,11 @@ module.exports = (params, user, app) =>
 		for (let i = 0; i < media.length; i++) {
 			const image = media[i];
 
+			// Validate id
+			if (!mongo.ObjectID.isValid(image)) {
+				return rej('incorrect media id');
+			}
+
 			// Fetch file
 			// SELECT _id
 			const entity = await DriveFile.findOne({
@@ -90,6 +95,11 @@ module.exports = (params, user, app) =>
 	// Get 'repost_id' parameter
 	let repost = params.repost_id;
 	if (repost !== undefined && repost !== null) {
+		// Validate id
+		if (!mongo.ObjectID.isValid(repost)) {
+			return rej('incorrect repost_id');
+		}
+
 		// Fetch repost to post
 		repost = await Post.findOne({
 			_id: new mongo.ObjectID(repost)
@@ -131,6 +141,12 @@ module.exports = (params, user, app) =>
 	// Get 'reply_to_id' parameter
 	let replyTo = params.reply_to_id;
 	if (replyTo !== undefined && replyTo !== null) {
+		// Validate id
+		if (!mongo.ObjectID.isValid(replyTo)) {
+			return rej('incorrect reply_to_id');
+		}
+
+		// Fetch reply
 		replyTo = await Post.findOne({
 			_id: new mongo.ObjectID(replyTo)
 		});