Prevent score lookups when querying /scores/{ruleset}/0

Closes ppy#11169. The `scores` table can contain records with `legacy_score_id = 0`. These records correspond to rows from `osu_scores_*` (non-high) tables which are always ephemeral (they get recycled every 24 hours). To avoid bogus lookups when querying the show controller endpoint, just explicitly disallow 0 (and negative numbers) from being unmapped via `legacy_score_id`.
nanaya · Apr 22, 2024 · 7ce7379 · 7ce7379
1 parent 38d371d
commit 7ce7379
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/app/Http/Controllers/ScoresController.php b/app/Http/Controllers/ScoresController.php
@@ -91,12 +91,21 @@ public function download($rulesetOrSoloId, $id = null)
 
     public function show($rulesetOrSoloId, $legacyId = null)
     {
-        $scoreQuery = $legacyId === null
-            ? SoloScore::whereKey($rulesetOrSoloId)
-            : SoloScore::where([
+        if ($legacyId === null) {
+            $scoreQuery = SoloScore::whereKey($rulesetOrSoloId);
+        } else {
+            // `SoloScore` tables can have records with `legacy_score_id = 0`
+            // which correspond to rows from `osu_scores_*` (non-high) tables.
+            // do not attempt to perform lookups for zero to avoid weird results.
+            // negative IDs should never occur (ID columns in score tables are all `bigint unsigned`).
+            if ($legacyId <= 0)
+                abort(404, 'invalid score ID');
+
+            $scoreQuery = SoloScore::where([
                 'ruleset_id' => Ruleset::tryFromName($rulesetOrSoloId) ?? abort(404, 'unknown ruleset name'),
                 'legacy_score_id' => $legacyId,
             ]);
+        }
         $score = $scoreQuery->whereHas('beatmap.beatmapset')->visibleUsers()->firstOrFail();
 
         $userIncludes = array_map(function ($include) {