rsesot/misskey
1
0
Fork 0
forked from mirrors/misskey
Code Pull Requests Activity

Merge commit from fork

Browse Source 
none of our endpoints will ever contain `..` (they might, maybe, at
some point, contain `.`, as in `something/get.html`?), so every
`Mk:api()` call to an endpoint that contains `..` can't work: let's
reject it outright

Co-authored-by: dakkar <dakkar@thenautilus.net>
This commit is contained in:
Julia
2025-04-29 05:06:39 -04:00
committed by GitHub
parent 2cd3fbf1a3
commit 583df3ec63
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
packages/frontend/src/aiscript/api.ts
View File

@@ -68,7 +68,7 @@ export function createAiScriptEnv(opts: { storageKey: string, token?: string })
}), }),
'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => { 'Mk:api': values.FN_NATIVE(async ([ep, param, token]) => {
utils.assertString(ep); utils.assertString(ep);
if (ep.value.includes('://')) { if (ep.value.includes('://') || ep.value.includes('..')) {
throw new errors.AiScriptRuntimeError('invalid endpoint'); throw new errors.AiScriptRuntimeError('invalid endpoint');
} }
if (token) { if (token) {