fix: only allow string type exportType paramter

fixes #1846 Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
hackmdio · Jan 4, 2024 · cd52cb7 · cd52cb7
1 parent 0f4b988
commit cd52cb7
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/lib/note/noteActions.js b/lib/note/noteActions.js
@@ -133,14 +133,17 @@ async function actionPandoc (req, res, note) {
   content = content.replace(/\]\(\//g, '](' + url + '/')
 
   const { exportType } = req.query
+  if (typeof exportType !== 'string') {
+    return res.sendStatus(400)
+  }
+
   const contentType = outputFormats[exportType]
+  if (!contentType) {
+    return res.sendStatus(400)
+  }
 
   try {
     // TODO: timeout rejection
-    if (!contentType) {
-      return res.sendStatus(400)
-    }
-
     await pandoc.convertToFile(content, 'markdown', exportType, path, [
       '--metadata', `title=${title}`, '--sandbox'
     ])