Don't inject untrusted input

[github/Chocobozzz/PeerTube.git] / server / helpers / custom-validators / video-captions.ts

diff --git a/server/helpers/custom-validators/video-captions.ts b/server/helpers/custom-validators/video-captions.ts
index b33d90e1856f5bc3a77683f2c8d321ec4b763dfa..59ba005fe3f4b8d8feb152b9e210b559c72feac5 100644 (file)
--- a/server/helpers/custom-validators/video-captions.ts
+++ b/server/helpers/custom-validators/video-captions.ts
@@ -1,40 +1,40 @@
-import { CONSTRAINTS_FIELDS, MIMETYPES, VIDEO_LANGUAGES } from '../../initializers'
+import { UploadFilesForCheck } from 'express'
+import { readFile } from 'fs-extra'
+import { getFileSize } from '@shared/extra-utils'
+import { CONSTRAINTS_FIELDS, MIMETYPES, VIDEO_LANGUAGES } from '../../initializers/constants'
 import { exists, isFileValid } from './misc'
-import { Response } from 'express'
-import { VideoModel } from '../../models/video/video'
-import { VideoCaptionModel } from '../../models/video/video-caption'
 
 function isVideoCaptionLanguageValid (value: any) {
-  return exists(value) && VIDEO_LANGUAGES[ value ] !== undefined
+  return exists(value) && VIDEO_LANGUAGES[value] !== undefined
 }
 
-const videoCaptionTypes = Object.keys(MIMETYPES.VIDEO_CAPTIONS.MIMETYPE_EXT)
-                                .concat([ 'application/octet-stream' ]) // MacOS sends application/octet-stream ><
+const videoCaptionTypesRegex = Object.keys(MIMETYPES.VIDEO_CAPTIONS.MIMETYPE_EXT)
+                                .concat([ 'application/octet-stream' ]) // MacOS sends application/octet-stream
                                 .map(m => `(${m})`)
-const videoCaptionTypesRegex = videoCaptionTypes.join('|')
-function isVideoCaptionFile (files: { [ fieldname: string ]: Express.Multer.File[] } | Express.Multer.File[], field: string) {
-  return isFileValid(files, videoCaptionTypesRegex, field, CONSTRAINTS_FIELDS.VIDEO_CAPTIONS.CAPTION_FILE.FILE_SIZE.max)
+                                .join('|')
+function isVideoCaptionFile (files: UploadFilesForCheck, field: string) {
+  return isFileValid({
+    files,
+    mimeTypeRegex: videoCaptionTypesRegex,
+    field,
+    maxSize: CONSTRAINTS_FIELDS.VIDEO_CAPTIONS.CAPTION_FILE.FILE_SIZE.max
+  })
 }
 
-async function isVideoCaptionExist (video: VideoModel, language: string, res: Response) {
-  const videoCaption = await VideoCaptionModel.loadByVideoIdAndLanguage(video.id, language)
+async function isVTTFileValid (filePath: string) {
+  const size = await getFileSize(filePath)
 
-  if (!videoCaption) {
-    res.status(404)
-       .json({ error: 'Video caption not found' })
-       .end()
+  if (size > CONSTRAINTS_FIELDS.VIDEO_CAPTIONS.CAPTION_FILE.FILE_SIZE.max) return false
 
-    return false
-  }
+  const content = await readFile(filePath, 'utf8')
 
-  res.locals.videoCaption = videoCaption
-  return true
+  return content?.startsWith('WEBVTT\n')
 }
 
 // ---------------------------------------------------------------------------
 
 export {
   isVideoCaptionFile,
-  isVideoCaptionLanguageValid,
-  isVideoCaptionExist
+  isVTTFileValid,
+  isVideoCaptionLanguageValid
 }