diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
| commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
| tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/api | |
| parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
| download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip | |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/controllers/api')
| -rw-r--r-- | server/controllers/api/users/my-history.ts | 3 | ||||
| -rw-r--r-- | server/controllers/api/users/my-video-playlists.ts | 5 | ||||
| -rw-r--r-- | server/controllers/api/video-playlist.ts | 5 | ||||
| -rw-r--r-- | server/controllers/api/videos/update.ts | 3 |
4 files changed, 10 insertions, 6 deletions
diff --git a/server/controllers/api/users/my-history.ts b/server/controllers/api/users/my-history.ts index bc5b40f59..e6d3e86ac 100644 --- a/server/controllers/api/users/my-history.ts +++ b/server/controllers/api/users/my-history.ts | |||
| @@ -1,3 +1,4 @@ | |||
| 1 | import { forceNumber } from '@shared/core-utils' | ||
| 1 | import express from 'express' | 2 | import express from 'express' |
| 2 | import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes' | 3 | import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes' |
| 3 | import { getFormattedObjects } from '../../../helpers/utils' | 4 | import { getFormattedObjects } from '../../../helpers/utils' |
| @@ -55,7 +56,7 @@ async function listMyVideosHistory (req: express.Request, res: express.Response) | |||
| 55 | async function removeUserHistoryElement (req: express.Request, res: express.Response) { | 56 | async function removeUserHistoryElement (req: express.Request, res: express.Response) { |
| 56 | const user = res.locals.oauth.token.User | 57 | const user = res.locals.oauth.token.User |
| 57 | 58 | ||
| 58 | await UserVideoHistoryModel.removeUserHistoryElement(user, parseInt(req.params.videoId + '')) | 59 | await UserVideoHistoryModel.removeUserHistoryElement(user, forceNumber(req.params.videoId)) |
| 59 | 60 | ||
| 60 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) | 61 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) |
| 61 | } | 62 | } |
diff --git a/server/controllers/api/users/my-video-playlists.ts b/server/controllers/api/users/my-video-playlists.ts index 715717610..fbdbb7e50 100644 --- a/server/controllers/api/users/my-video-playlists.ts +++ b/server/controllers/api/users/my-video-playlists.ts | |||
| @@ -1,5 +1,6 @@ | |||
| 1 | import { uuidToShort } from '@shared/extra-utils' | ||
| 2 | import express from 'express' | 1 | import express from 'express' |
| 2 | import { forceNumber } from '@shared/core-utils' | ||
| 3 | import { uuidToShort } from '@shared/extra-utils' | ||
| 3 | import { VideosExistInPlaylists } from '../../../../shared/models/videos/playlist/video-exist-in-playlist.model' | 4 | import { VideosExistInPlaylists } from '../../../../shared/models/videos/playlist/video-exist-in-playlist.model' |
| 4 | import { asyncMiddleware, authenticate } from '../../../middlewares' | 5 | import { asyncMiddleware, authenticate } from '../../../middlewares' |
| 5 | import { doVideosInPlaylistExistValidator } from '../../../middlewares/validators/videos/video-playlists' | 6 | import { doVideosInPlaylistExistValidator } from '../../../middlewares/validators/videos/video-playlists' |
| @@ -22,7 +23,7 @@ export { | |||
| 22 | // --------------------------------------------------------------------------- | 23 | // --------------------------------------------------------------------------- |
| 23 | 24 | ||
| 24 | async function doVideosInPlaylistExist (req: express.Request, res: express.Response) { | 25 | async function doVideosInPlaylistExist (req: express.Request, res: express.Response) { |
| 25 | const videoIds = req.query.videoIds.map(i => parseInt(i + '', 10)) | 26 | const videoIds = req.query.videoIds.map(i => forceNumber(i)) |
| 26 | const user = res.locals.oauth.token.User | 27 | const user = res.locals.oauth.token.User |
| 27 | 28 | ||
| 28 | const results = await VideoPlaylistModel.listPlaylistSummariesOf(user.Account.id, videoIds) | 29 | const results = await VideoPlaylistModel.listPlaylistSummariesOf(user.Account.id, videoIds) |
diff --git a/server/controllers/api/video-playlist.ts b/server/controllers/api/video-playlist.ts index 1255d14c6..67fac3751 100644 --- a/server/controllers/api/video-playlist.ts +++ b/server/controllers/api/video-playlist.ts | |||
| @@ -46,6 +46,7 @@ import { | |||
| 46 | import { AccountModel } from '../../models/account/account' | 46 | import { AccountModel } from '../../models/account/account' |
| 47 | import { VideoPlaylistModel } from '../../models/video/video-playlist' | 47 | import { VideoPlaylistModel } from '../../models/video/video-playlist' |
| 48 | import { VideoPlaylistElementModel } from '../../models/video/video-playlist-element' | 48 | import { VideoPlaylistElementModel } from '../../models/video/video-playlist-element' |
| 49 | import { forceNumber } from '@shared/core-utils' | ||
| 49 | 50 | ||
| 50 | const reqThumbnailFile = createReqFiles([ 'thumbnailfile' ], MIMETYPES.IMAGE.MIMETYPE_EXT) | 51 | const reqThumbnailFile = createReqFiles([ 'thumbnailfile' ], MIMETYPES.IMAGE.MIMETYPE_EXT) |
| 51 | 52 | ||
| @@ -245,7 +246,7 @@ async function updateVideoPlaylist (req: express.Request, res: express.Response) | |||
| 245 | if (videoPlaylistInfoToUpdate.description !== undefined) videoPlaylistInstance.description = videoPlaylistInfoToUpdate.description | 246 | if (videoPlaylistInfoToUpdate.description !== undefined) videoPlaylistInstance.description = videoPlaylistInfoToUpdate.description |
| 246 | 247 | ||
| 247 | if (videoPlaylistInfoToUpdate.privacy !== undefined) { | 248 | if (videoPlaylistInfoToUpdate.privacy !== undefined) { |
| 248 | videoPlaylistInstance.privacy = parseInt(videoPlaylistInfoToUpdate.privacy.toString(), 10) | 249 | videoPlaylistInstance.privacy = forceNumber(videoPlaylistInfoToUpdate.privacy) |
| 249 | 250 | ||
| 250 | if (wasNotPrivatePlaylist === true && videoPlaylistInstance.privacy === VideoPlaylistPrivacy.PRIVATE) { | 251 | if (wasNotPrivatePlaylist === true && videoPlaylistInstance.privacy === VideoPlaylistPrivacy.PRIVATE) { |
| 251 | await sendDeleteVideoPlaylist(videoPlaylistInstance, t) | 252 | await sendDeleteVideoPlaylist(videoPlaylistInstance, t) |
| @@ -424,7 +425,7 @@ async function reorderVideosPlaylist (req: express.Request, res: express.Respons | |||
| 424 | 425 | ||
| 425 | const endOldPosition = oldPosition + reorderLength - 1 | 426 | const endOldPosition = oldPosition + reorderLength - 1 |
| 426 | // Insert our reordered elements in their place (update) | 427 | // Insert our reordered elements in their place (update) |
| 427 | await VideoPlaylistElementModel.reassignPositionOf(videoPlaylist.id, oldPosition, endOldPosition, newPosition, t) | 428 | await VideoPlaylistElementModel.reassignPositionOf({ videoPlaylistId: videoPlaylist.id, firstPosition: oldPosition, endPosition: endOldPosition, newPosition, transaction: t }) |
| 428 | 429 | ||
| 429 | // Decrease positions of elements after the old position of our ordered elements (decrease) | 430 | // Decrease positions of elements after the old position of our ordered elements (decrease) |
| 430 | await VideoPlaylistElementModel.increasePositionOf(videoPlaylist.id, oldPosition, -reorderLength, t) | 431 | await VideoPlaylistElementModel.increasePositionOf(videoPlaylist.id, oldPosition, -reorderLength, t) |
diff --git a/server/controllers/api/videos/update.ts b/server/controllers/api/videos/update.ts index 0a910379a..260dee2b9 100644 --- a/server/controllers/api/videos/update.ts +++ b/server/controllers/api/videos/update.ts | |||
| @@ -19,6 +19,7 @@ import { asyncMiddleware, asyncRetryTransactionMiddleware, authenticate, videosU | |||
| 19 | import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' | 19 | import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' |
| 20 | import { VideoModel } from '../../../models/video/video' | 20 | import { VideoModel } from '../../../models/video/video' |
| 21 | import { VideoPathManager } from '@server/lib/video-path-manager' | 21 | import { VideoPathManager } from '@server/lib/video-path-manager' |
| 22 | import { forceNumber } from '@shared/core-utils' | ||
| 22 | 23 | ||
| 23 | const lTags = loggerTagsFactory('api', 'video') | 24 | const lTags = loggerTagsFactory('api', 'video') |
| 24 | const auditLogger = auditLoggerFactory('videos') | 25 | const auditLogger = auditLoggerFactory('videos') |
| @@ -174,7 +175,7 @@ async function updateVideoPrivacy (options: { | |||
| 174 | const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options | 175 | const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options |
| 175 | const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) | 176 | const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) |
| 176 | 177 | ||
| 177 | const newPrivacy = parseInt(videoInfoToUpdate.privacy.toString(), 10) | 178 | const newPrivacy = forceNumber(videoInfoToUpdate.privacy) |
| 178 | setVideoPrivacy(videoInstance, newPrivacy) | 179 | setVideoPrivacy(videoInstance, newPrivacy) |
| 179 | 180 | ||
| 180 | // Unfederate the video if the new privacy is not compatible with federation | 181 | // Unfederate the video if the new privacy is not compatible with federation |