From 2f596948f3e0f7bf48246da4f60656716d311034 Mon Sep 17 00:00:00 2001 From: syuilo Date: Wed, 18 Jan 2017 06:32:50 +0900 Subject: [PATCH] [API] Fix: Validate id --- src/api/endpoints/users/show.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/api/endpoints/users/show.js b/src/api/endpoints/users/show.js index af475c6cb9..43d6e700a5 100644 --- a/src/api/endpoints/users/show.js +++ b/src/api/endpoints/users/show.js @@ -33,6 +33,11 @@ module.exports = (params, me) => return rej('user_id or username is required'); } + // Validate id + if (userId && !mongo.ObjectID.isValid(userId)) { + return rej('incorrect user_id'); + } + // Lookup user const user = userId !== null ? await User.findOne({ _id: new mongo.ObjectID(userId) })