fix: Escape SQL LIKE (#9493)

* SQL LIKE escape * CHANGELOG
2023-01-08 20:32:17 +09:00 · 2023-01-08 20:32:17 +09:00 · 10e526ba56
commit 10e526ba56
parent 1d7e0293a8
10 changed files with 27 additions and 15 deletions
--- a/packages/backend/src/server/api/endpoints/federation/instances.ts
+++ b/packages/backend/src/server/api/endpoints/federation/instances.ts
@ -4,6 +4,7 @@ import type { InstancesRepository } from '@/models/index.js';
 import { InstanceEntityService } from '@/core/entities/InstanceEntityService.js';
 import { MetaService } from '@/core/MetaService.js';
 import { DI } from '@/di-symbols.js';
+import { sqlLikeEscape } from '@/misc/sql-like-escape';

 export const meta = {
 	tags: ['federation'],
@ -120,7 +121,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			}

 			if (ps.host) {
-				query.andWhere('instance.host like :host', { host: '%' + ps.host.toLowerCase() + '%' });
+				query.andWhere('instance.host like :host', { host: '%' + sqlLikeEscape(ps.host.toLowerCase()) + '%' });
 			}

 			const instances = await query.take(ps.limit).skip(ps.offset).getMany();