Don't inject untrusted input

Even if it's already checked in middlewares It's better to have safe modals too
author: Chocobozzz <me@florianbigard.com> 2022-11-15 14:41:55 +0100
committer: Chocobozzz <me@florianbigard.com> 2022-11-15 14:41:55 +0100
commit: 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree: 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/api/users
parent: 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
download: PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
2 files changed, 5 insertions, 3 deletions
diff --git a/server/controllers/api/users/my-history.ts b/server/controllers/api/users/my-history.ts
index bc5b40f59..e6d3e86ac 100644
--- a/server/controllers/api/users/my-history.ts
+++ b/server/controllers/api/users/my-history.ts
@@ -1,3 +1,4 @@
+import { forceNumber } from '@shared/core-utils'
 import express from 'express'
 import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
 import { getFormattedObjects } from '../../../helpers/utils'
@@ -55,7 +56,7 @@ async function listMyVideosHistory (req: express.Request, res: express.Response)
 async function removeUserHistoryElement (req: express.Request, res: express.Response) {
  const user = res.locals.oauth.token.User
-  await UserVideoHistoryModel.removeUserHistoryElement(user, parseInt(req.params.videoId + ''))
+  await UserVideoHistoryModel.removeUserHistoryElement(user, forceNumber(req.params.videoId))
  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
 }
diff --git a/server/controllers/api/users/my-video-playlists.ts b/server/controllers/api/users/my-video-playlists.ts
index 715717610..fbdbb7e50 100644
--- a/server/controllers/api/users/my-video-playlists.ts
+++ b/server/controllers/api/users/my-video-playlists.ts
@@ -1,5 +1,6 @@
-import { uuidToShort } from '@shared/extra-utils'
 import express from 'express'
+import { forceNumber } from '@shared/core-utils'
+import { uuidToShort } from '@shared/extra-utils'
 import { VideosExistInPlaylists } from '../../../../shared/models/videos/playlist/video-exist-in-playlist.model'
 import { asyncMiddleware, authenticate } from '../../../middlewares'
 import { doVideosInPlaylistExistValidator } from '../../../middlewares/validators/videos/video-playlists'
@@ -22,7 +23,7 @@ export {
 // ---------------------------------------------------------------------------
 async function doVideosInPlaylistExist (req: express.Request, res: express.Response) {
-  const videoIds = req.query.videoIds.map(i => parseInt(i + '', 10))
+  const videoIds = req.query.videoIds.map(i => forceNumber(i))
  const user = res.locals.oauth.token.User
  const results = await VideoPlaylistModel.listPlaylistSummariesOf(user.Account.id, videoIds)
author	Chocobozzz <me@florianbigard.com>	2022-11-15 14:41:55 +0100
committer	Chocobozzz <me@florianbigard.com>	2022-11-15 14:41:55 +0100
commit	4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree	3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/api/users
parent	6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
download	PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip