From cd52cb7ec78d13b48ed28c8bcee1a3a6705ad8d7 Mon Sep 17 00:00:00 2001
From: Yukai Huang <yukaihuangtw@gmail.com>
Date: Thu, 4 Jan 2024 16:59:45 +0800
Subject: [PATCH] fix: only allow string type exportType paramter

fixes #1846

Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
---
 lib/note/noteActions.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/note/noteActions.js b/lib/note/noteActions.js
index d9c57da21f..964f4505d6 100644
--- a/lib/note/noteActions.js
+++ b/lib/note/noteActions.js
@@ -133,14 +133,17 @@ async function actionPandoc (req, res, note) {
   content = content.replace(/\]\(\//g, '](' + url + '/')
 
   const { exportType } = req.query
+  if (typeof exportType !== 'string') {
+    return res.sendStatus(400)
+  }
+
   const contentType = outputFormats[exportType]
+  if (!contentType) {
+    return res.sendStatus(400)
+  }
 
   try {
     // TODO: timeout rejection
-    if (!contentType) {
-      return res.sendStatus(400)
-    }
-
     await pandoc.convertToFile(content, 'markdown', exportType, path, [
       '--metadata', `title=${title}`, '--sandbox'
     ])