]> git.immae.eu Git - github/Chocobozzz/PeerTube.git/blobdiff - server/middlewares/validators/users.ts
projects / github / Chocobozzz / PeerTube.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Don't inject untrusted input
[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / users.ts
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 055af3b64c851209ecd24c97614c6c1ca3175d86..50327b6aebf4eb575b0721131c8c56dd2917e653 100644 (file)
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -1,6 +1,7 @@
 import express from 'express'
 import { body, param, query } from 'express-validator'
 import { Hooks } from '@server/lib/plugins/hooks'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
 import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
 import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
@@ -515,7 +516,7 @@ const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Requ
 
       const user = res.locals.oauth.token.User
       const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR
-      const targetUserId = parseInt(targetUserIdGetter(req) + '')
+      const targetUserId = forceNumber(targetUserIdGetter(req))
 
       // Admin/moderator action on another user, skip the password check
       if (isAdminOrModerator && targetUserId !== user.id) {
ActivityPub-federated video streaming platform using P2P directly in your web browser