BugFix: Validate ObjectId

growilabs · Oct 10, 2020 · cbc2565 · cbc2565
1 parent 770fc02
commit cbc2565
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/server/routes/refs.js b/src/server/routes/refs.js
@@ -8,8 +8,11 @@ const logger = loggerFactory('growi-plugin:attachment-refs:routes:refs');
 
 module.exports = (crowi) => {
   const express = crowi.require('express');
+  const mongoose = crowi.require('mongoose');
   const router = express.Router();
 
+  const ObjectId = mongoose.Types.ObjectId;
+
   const User = crowi.model('User');
   const Page = crowi.model('Page');
   const Attachment = crowi.model('Attachment');
@@ -90,13 +93,16 @@ module.exports = (crowi) => {
       creatorPopulateOpt = User.IMAGE_POPULATION;
     }
 
+    // convert ObjectId
+    const orConditions = [{ originalName: fileNameOrId }];
+    if (ObjectId.isValid(fileNameOrId)) {
+      orConditions.push({ _id: ObjectId(fileNameOrId) });
+    }
+
     const attachment = await Attachment
       .findOne({
         page: page._id,
-        $or: [
-          { _id: fileNameOrId },
-          { originalName: fileNameOrId },
-        ],
+        $or: orConditions,
       })
       .populate({ path: 'creator', select: User.USER_PUBLIC_FIELDS, populate: creatorPopulateOpt });