Add additional check for playlistName

diff --git a/server/helpers/custom-validators/misc.ts b/server/helpers/custom-validators/misc.ts
index b3ab3ac64704edda06955c18d384df3b2e044017..ebab4c6b244ba1277a0424c089e535fd9faac131 100644 (file)
--- a/server/helpers/custom-validators/misc.ts
+++ b/server/helpers/custom-validators/misc.ts
@@ -15,6 +15,10 @@ function isSafePath (p: string) {
     })
 }
 
+function isSafePeerTubeFilenameWithoutExtension (filename: string) {
+  return filename.match(/^[a-z0-9-]+$/)
+}
+
 function isArray (value: any): value is any[] {
   return Array.isArray(value)
 }
@@ -172,5 +176,6 @@ export {
   areUUIDsValid,
   toIntArray,
   isFileValid,
+  isSafePeerTubeFilenameWithoutExtension,
   checkMimetypeRegex
 }

diff --git a/server/middlewares/validators/static.ts b/server/middlewares/validators/static.ts
index d3d307787a190d8f41efff70572e8e23e315d518..45d56bcd64da8c6bcbac74fcca69ce2ced143104 100644 (file)
--- a/server/middlewares/validators/static.ts
+++ b/server/middlewares/validators/static.ts
@@ -2,7 +2,7 @@ import express from 'express'
 import { query } from 'express-validator'
 import LRUCache from 'lru-cache'
 import { basename, dirname } from 'path'
-import { exists, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc'
+import { exists, isSafePeerTubeFilenameWithoutExtension, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc'
 import { logger } from '@server/helpers/logger'
 import { LRU_CACHE } from '@server/initializers/constants'
 import { VideoModel } from '@server/models/video/video'
@@ -69,6 +69,10 @@ const ensureCanAccessPrivateVideoHLSFiles = [
     .customSanitizer(toBooleanOrNull)
     .isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'),
 
+  query('playlistName')
+    .optional()
+    .customSanitizer(isSafePeerTubeFilenameWithoutExtension),
+
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return