diff --git a/packages/server/src/route/contents.ts b/packages/server/src/route/contents.ts index 2a8c4e0..83d03f9 100644 --- a/packages/server/src/route/contents.ts +++ b/packages/server/src/route/contents.ts @@ -210,18 +210,26 @@ function getRescanDocumentHandler(controller: DocumentAccessor) { }; } -export const getContentRouter = (controller: DocumentAccessor) => { - const ret = new Router(); - ret.get("/search", PerCheck(Per.QueryContent), ContentQueryHandler(controller)); - ret.get("/_gid", PerCheck(Per.QueryContent), async (ctx, next) => { +function ContentGidListHandler(controller: DocumentAccessor) { + return async (ctx: Context, next: Next) => { const gid_list = ParseQueryArray(ctx.query.gid).map((x) => Number.parseInt(x)) if (gid_list.some((x) => Number.isNaN(x))) { return sendError(400, "gid is not a number"); } + // size limit + if (gid_list.length > 100) { + return sendError(400, "gid list is too long"); + } const r = await controller.findByGidList(gid_list); ctx.body = r; ctx.type = "json"; - }); + }; +} + +export const getContentRouter = (controller: DocumentAccessor) => { + const ret = new Router(); + ret.get("/search", PerCheck(Per.QueryContent), ContentQueryHandler(controller)); + ret.get("/_gid", PerCheck(Per.QueryContent), ContentGidListHandler(controller)); ret.get("/:num(\\d+)", PerCheck(Per.QueryContent), ContentIDHandler(controller)); ret.all("/:num(\\d+)/(.*)", PerCheck(Per.QueryContent), ContentHandler(controller)); ret.post("/:num(\\d+)", AdminOnly, UpdateContentHandler(controller));