From f4a27e59a3a98ffa04116f88af1e4bd8c35e63ad Mon Sep 17 00:00:00 2001
From: MaysWind <i@mayswind.net>
Date: Sun, 11 Aug 2024 12:09:53 +0800
Subject: [PATCH] check whether query is valid before query user from database

---
 pkg/api/users.go | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/pkg/api/users.go b/pkg/api/users.go
index e34614ec..7fa58bcc 100644
--- a/pkg/api/users.go
+++ b/pkg/api/users.go
@@ -725,7 +725,22 @@ func (a *UsersApi) UserSendVerifyEmailByLoginedUserHandler(c *core.Context) (any
 
 // UserGetAvatarHandler returns user avatar data for current user
 func (a *UsersApi) UserGetAvatarHandler(c *core.Context) ([]byte, string, *errs.Error) {
+	fileName := c.Param("fileName")
+	fileExtension := utils.GetFileNameExtension(fileName)
+	contentType := utils.GetImageContentType(fileExtension)
+
+	if contentType == "" {
+		return nil, "", errs.ErrImageTypeNotSupported
+	}
+
 	uid := c.GetCurrentUid()
+	fileBaseName := utils.GetFileNameWithoutExtension(fileName)
+
+	if utils.Int64ToString(uid) != fileBaseName {
+		log.WarnfWithRequestId(c, "[users.UserGetAvatarHandler] cannot get other user avatar \"uid:%s\" for user \"uid:%d\"", fileBaseName, uid)
+		return nil, "", errs.ErrUserIdInvalid
+	}
+
 	user, err := a.users.GetUserById(c, uid)
 
 	if err != nil {
@@ -741,16 +756,6 @@ func (a *UsersApi) UserGetAvatarHandler(c *core.Context) ([]byte, string, *errs.
 		return nil, "", errs.ErrUserAvatarNoExists
 	}
 
-	fileName := c.Param("fileName")
-	fileBaseName := utils.GetFileNameWithoutExtension(fileName)
-
-	if utils.Int64ToString(user.Uid) != fileBaseName {
-		log.WarnfWithRequestId(c, "[users.UserGetAvatarHandler] cannot get other user avatar \"uid:%s\" for user \"uid:%d\"", fileBaseName, user.Uid)
-		return nil, "", errs.ErrUserIdInvalid
-	}
-
-	fileExtension := utils.GetFileNameExtension(fileName)
-
 	if user.CustomAvatarType != fileExtension {
 		log.WarnfWithRequestId(c, "[users.UserGetAvatarHandler] user avatar extension is invalid \"%s\" for user \"uid:%d\"", fileExtension, user.Uid)
 		return nil, "", errs.ErrUserAvatarNoExists
@@ -777,5 +782,5 @@ func (a *UsersApi) UserGetAvatarHandler(c *core.Context) ([]byte, string, *errs.
 		return nil, "", errs.ErrOperationFailed
 	}
 
-	return avatarData, utils.GetImageContentType(fileExtension), nil
+	return avatarData, contentType, nil
 }