Don't leak unlisted videos in comments feed

[github/Chocobozzz/PeerTube.git] / server / models / utils.ts

diff --git a/server/models/utils.ts b/server/models/utils.ts
index f7afb8d4b854181622ffa5f9e9c28de42fc1e7d1..06ff058649965d2f1e2d1a2c85ede33245ffe808 100644 (file)
--- a/server/models/utils.ts
+++ b/server/models/utils.ts
@@ -3,6 +3,23 @@ import validator from 'validator'
 import { Col } from 'sequelize/types/lib/utils'
 import { literal, OrderItem } from 'sequelize'
 
+type Primitive = string | Function | number | boolean | Symbol | undefined | null
+type DeepOmitHelper<T, K extends keyof T> = {
+  [P in K]: // extra level of indirection needed to trigger homomorhic behavior
+  T[P] extends infer TP // distribute over unions
+    ? TP extends Primitive
+      ? TP // leave primitives and functions alone
+      : TP extends any[]
+        ? DeepOmitArray<TP, K> // Array special handling
+        : DeepOmit<TP, K>
+    : never
+}
+type DeepOmit<T, K> = T extends Primitive ? T : DeepOmitHelper<T, Exclude<keyof T, K>>
+
+type DeepOmitArray<T extends any[], K> = {
+  [P in keyof T]: DeepOmit<T[P], K>
+}
+
 type SortType = { sortModel: string, sortValue: string }
 
 // Translate for example "-name" to [ [ 'name', 'DESC' ], [ 'id', 'ASC' ] ]
@@ -156,8 +173,11 @@ function parseAggregateResult (result: any) {
 }
 
 const createSafeIn = (model: typeof Model, stringArr: (string | number)[]) => {
-  return stringArr.map(t => model.sequelize.escape('' + t))
-                  .join(', ')
+  return stringArr.map(t => {
+    return t === null
+      ? null
+      : model.sequelize.escape('' + t)
+  }).join(', ')
 }
 
 function buildLocalAccountIdsIn () {
@@ -172,9 +192,25 @@ function buildLocalActorIdsIn () {
   )
 }
 
+function buildDirectionAndField (value: string) {
+  let field: string
+  let direction: 'ASC' | 'DESC'
+
+  if (value.substring(0, 1) === '-') {
+    direction = 'DESC'
+    field = value.substring(1)
+  } else {
+    direction = 'ASC'
+    field = value
+  }
+
+  return { direction, field }
+}
+
 // ---------------------------------------------------------------------------
 
 export {
+  DeepOmit,
   buildBlockedAccountSQL,
   buildLocalActorIdsIn,
   SortType,
@@ -191,6 +227,7 @@ export {
   isOutdated,
   parseAggregateResult,
   getFollowsSort,
+  buildDirectionAndField,
   createSafeIn
 }
 
@@ -203,18 +240,3 @@ function searchTrigramNormalizeValue (value: string) {
 function searchTrigramNormalizeCol (col: string) {
   return Sequelize.fn('lower', Sequelize.fn('immutable_unaccent', Sequelize.col(col)))
 }
-
-function buildDirectionAndField (value: string) {
-  let field: string
-  let direction: 'ASC' | 'DESC'
-
-  if (value.substring(0, 1) === '-') {
-    direction = 'DESC'
-    field = value.substring(1)
-  } else {
-    direction = 'ASC'
-    field = value
-  }
-
-  return { direction, field }
-}