oscar-surf/misskey
oscar-surf/misskey
0
0
Fork 0
Code Issues Activity

Merge commit from fork

Browse source 
(cherry picked from commit 583df3ec63e25a1fd34def0dac13405396b8b663)

none of our endpoints will ever contain `..` (they might, maybe, at
some point, contain `.`, as in `something/get.html`?), so every
`Mk:api()` call to an endpoint that contains `..` can't work: let's
reject it outright

Co-authored-by: Julia <julia@insertdomain.name>
Co-authored-by: dakkar <dakkar@thenautilus.net>
This commit is contained in:
あわわわとーにゅ 2025-05-01 21:24:38 +09:00
parent 80b4272c57
commit fe90cc7b24
No known key found for this signature in database
GPG key ID: 6AFBBF529601C1DB
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
packages/frontend/src/scripts/aiscript/api.ts
View file

@ -51,7 +51,9 @@ export function createAiScriptEnv(opts) {
}), }),
'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => { 'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => {
utils.assertString(ep); utils.assertString(ep);
if (ep.value.includes('://')) throw new Error('invalid endpoint'); if (ep.value.includes('://') || ep.value.includes('..')) {
throw new Error('invalid endpoint');
}
if (token) { if (token) {
utils.assertString(token); utils.assertString(token);
// バグがあればundefinedもあり得るため念のため // バグがあればundefinedもあり得るため念のため