Ensure case-sensitive DB queries on MySQL/MariaDB

MySQLs string comparisons are case-insensitive by default. This allows to hide notes by creating a new note with an alias that equals the lower-cased alias of another note. The new note is returned first by MySQL, so the original one is not accessible anymore. This fixes the problem by using an explicit binary comparison in the affected queries. See https://dev.mysql.com/doc/refman/8.0/en/case-sensitivity.html Signed-off-by: David Mehren <git@herrmehren.de>
2023-10-01 20:40:15 +02:00 · 2023-10-01 20:40:15 +02:00 · 380587b7fd
commit 380587b7fd
parent c543dc1f23
2 changed files with 15 additions and 6 deletions
--- a/lib/models/note.js
+++ b/lib/models/note.js
@ -18,6 +18,7 @@ const S = require('string')
 // core
 const config = require('../config')
 const logger = require('../logger')
+const utils = require('../utils')

 // ot
 const ot = require('../ot')
@ -191,9 +192,11 @@ module.exports = function (sequelize, DataTypes) {
      parseNoteIdByAlias: function (_callback) {
        // try to parse note id by alias (e.g. doc)
        Note.findOne({
-          where: {
-            alias: noteId
-          }
+          where: utils.isMySQL(sequelize)
+            ? sequelize.where(sequelize.fn('BINARY', sequelize.col('alias')), noteId)
+            : {
+                alias: noteId
+              }
        }).then(function (note) {
          if (note) {
            const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
@ -296,9 +299,11 @@ module.exports = function (sequelize, DataTypes) {
        try {
          if (shortId.isValid(noteId)) {
            Note.findOne({
-              where: {
-                shortid: noteId
-              }
+              where: utils.isMySQL(sequelize)
+                ? sequelize.where(sequelize.fn('BINARY', sequelize.col('shortid')), noteId)
+                : {
+                    shortid: noteId
+                  }
            }).then(function (note) {
              if (!note) return _callback(null, null)
              return callback(null, note.id)
--- a/lib/utils.js
+++ b/lib/utils.js
@ -4,6 +4,10 @@ exports.isSQLite = function isSQLite (sequelize) {
  return sequelize.options.dialect === 'sqlite'
 }

+exports.isMySQL = function isMySQL (sequelize) {
+  return ['mysql', 'mariadb'].includes(sequelize.options.dialect)
+}
+
 exports.getImageMimeType = function getImageMimeType (imagePath) {
  const fileExtension = /[^.]+$/.exec(imagePath)