Merge pull request ppy#11173 from bdach/legacy-score-id-zero

Prevent bogus score lookups when querying `/scores/{ruleset}/0`
nanaya · Apr 24, 2024 · 0f7df7e · 0f7df7e
2 parents 5630138 + efd5bf9
commit 0f7df7e
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/app/Http/Controllers/ScoresController.php b/app/Http/Controllers/ScoresController.php
@@ -91,12 +91,22 @@ public function download($rulesetOrSoloId, $id = null)
 
     public function show($rulesetOrSoloId, $legacyId = null)
     {
-        $scoreQuery = $legacyId === null
-            ? SoloScore::whereKey($rulesetOrSoloId)
-            : SoloScore::where([
+        if ($legacyId === null) {
+            $scoreQuery = SoloScore::whereKey($rulesetOrSoloId);
+        } else {
+            // `SoloScore` tables can have records with `legacy_score_id = 0`
+            // which correspond to rows from `osu_scores_*` (non-high) tables.
+            // do not attempt to perform lookups for zero to avoid weird results.
+            // negative IDs should never occur (ID columns in score tables are all `bigint unsigned`).
+            if ($legacyId <= 0) {
+                abort(404, 'invalid score ID');
+            }
+
+            $scoreQuery = SoloScore::where([
                 'ruleset_id' => Ruleset::tryFromName($rulesetOrSoloId) ?? abort(404, 'unknown ruleset name'),
                 'legacy_score_id' => $legacyId,
             ]);
+        }
         $score = $scoreQuery->whereHas('beatmap.beatmapset')->visibleUsers()->firstOrFail();
 
         $userIncludes = array_map(function ($include) {