coop-cloud-chaos-patchs/outline
coop-cloud-chaos-patchs
/
outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: backslash in search query not escaped

This commit is contained in:
Tom Moor 2020-06-03 23:59:59 -07:00
parent 4b4f4fd188
commit bd9d4b3d0d
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
server/models/Document.js
View File

@ -254,6 +254,12 @@ type SearchOptions = {
includeDrafts?: boolean,
};
function escape(query: string): string {
// replace "\" with escaped "\\" because sequelize.escape doesn't do it
// https://github.com/sequelize/sequelize/issues/2950
return sequelize.escape(query).replace('\\', '\\\\');
}
Document.searchForTeam = async (
team,
query,
@ -261,7 +267,7 @@ Document.searchForTeam = async (
): Promise<SearchResult[]> => {
const limit = options.limit || 15;
const offset = options.offset || 0;
const wildcardQuery = `${sequelize.escape(query)}:*`;
const wildcardQuery = `${escape(query)}:*`;
const collectionIds = await team.collectionIds();
// If the team has access no public collections then shortcircuit the rest of this
@ -327,7 +333,7 @@ Document.searchForUser = async (
): Promise<SearchResult[]> => {
const limit = options.limit || 15;
const offset = options.offset || 0;
const wildcardQuery = `${sequelize.escape(query)}:*`;
const wildcardQuery = `${escape(query)}:*`;
// Ensure we're filtering by the users accessible collections. If
// collectionId is passed as an option it is assumed that the authorization