From cbc256591f49c3e99f372d4eb62a9592cc747ab1 Mon Sep 17 00:00:00 2001
From: Yuki Takei <yuki@weseek.co.jp>
Date: Sat, 10 Oct 2020 02:51:44 +0000
Subject: [PATCH] BugFix: Validate ObjectId

---
 src/server/routes/refs.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/server/routes/refs.js b/src/server/routes/refs.js
index 214d073..1bac6ab 100644
--- a/src/server/routes/refs.js
+++ b/src/server/routes/refs.js
@@ -8,8 +8,11 @@ const logger = loggerFactory('growi-plugin:attachment-refs:routes:refs');
 
 module.exports = (crowi) => {
   const express = crowi.require('express');
+  const mongoose = crowi.require('mongoose');
   const router = express.Router();
 
+  const ObjectId = mongoose.Types.ObjectId;
+
   const User = crowi.model('User');
   const Page = crowi.model('Page');
   const Attachment = crowi.model('Attachment');
@@ -90,13 +93,16 @@ module.exports = (crowi) => {
       creatorPopulateOpt = User.IMAGE_POPULATION;
     }
 
+    // convert ObjectId
+    const orConditions = [{ originalName: fileNameOrId }];
+    if (ObjectId.isValid(fileNameOrId)) {
+      orConditions.push({ _id: ObjectId(fileNameOrId) });
+    }
+
     const attachment = await Attachment
       .findOne({
         page: page._id,
-        $or: [
-          { _id: fileNameOrId },
-          { originalName: fileNameOrId },
-        ],
+        $or: orConditions,
       })
       .populate({ path: 'creator', select: User.USER_PUBLIC_FIELDS, populate: creatorPopulateOpt });