aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/controllers/api
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
committerChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
commit4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/api
parent6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
downloadPeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
Don't inject untrusted input
Even if it's already checked in middlewares It's better to have safe modals too
Diffstat (limited to 'server/controllers/api')
-rw-r--r--server/controllers/api/users/my-history.ts3
-rw-r--r--server/controllers/api/users/my-video-playlists.ts5
-rw-r--r--server/controllers/api/video-playlist.ts5
-rw-r--r--server/controllers/api/videos/update.ts3
4 files changed, 10 insertions, 6 deletions
diff --git a/server/controllers/api/users/my-history.ts b/server/controllers/api/users/my-history.ts
index bc5b40f59..e6d3e86ac 100644
--- a/server/controllers/api/users/my-history.ts
+++ b/server/controllers/api/users/my-history.ts
@@ -1,3 +1,4 @@
1import { forceNumber } from '@shared/core-utils'
1import express from 'express' 2import express from 'express'
2import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes' 3import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes'
3import { getFormattedObjects } from '../../../helpers/utils' 4import { getFormattedObjects } from '../../../helpers/utils'
@@ -55,7 +56,7 @@ async function listMyVideosHistory (req: express.Request, res: express.Response)
55async function removeUserHistoryElement (req: express.Request, res: express.Response) { 56async function removeUserHistoryElement (req: express.Request, res: express.Response) {
56 const user = res.locals.oauth.token.User 57 const user = res.locals.oauth.token.User
57 58
58 await UserVideoHistoryModel.removeUserHistoryElement(user, parseInt(req.params.videoId + '')) 59 await UserVideoHistoryModel.removeUserHistoryElement(user, forceNumber(req.params.videoId))
59 60
60 return res.sendStatus(HttpStatusCode.NO_CONTENT_204) 61 return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
61} 62}
diff --git a/server/controllers/api/users/my-video-playlists.ts b/server/controllers/api/users/my-video-playlists.ts
index 715717610..fbdbb7e50 100644
--- a/server/controllers/api/users/my-video-playlists.ts
+++ b/server/controllers/api/users/my-video-playlists.ts
@@ -1,5 +1,6 @@
1import { uuidToShort } from '@shared/extra-utils'
2import express from 'express' 1import express from 'express'
2import { forceNumber } from '@shared/core-utils'
3import { uuidToShort } from '@shared/extra-utils'
3import { VideosExistInPlaylists } from '../../../../shared/models/videos/playlist/video-exist-in-playlist.model' 4import { VideosExistInPlaylists } from '../../../../shared/models/videos/playlist/video-exist-in-playlist.model'
4import { asyncMiddleware, authenticate } from '../../../middlewares' 5import { asyncMiddleware, authenticate } from '../../../middlewares'
5import { doVideosInPlaylistExistValidator } from '../../../middlewares/validators/videos/video-playlists' 6import { doVideosInPlaylistExistValidator } from '../../../middlewares/validators/videos/video-playlists'
@@ -22,7 +23,7 @@ export {
22// --------------------------------------------------------------------------- 23// ---------------------------------------------------------------------------
23 24
24async function doVideosInPlaylistExist (req: express.Request, res: express.Response) { 25async function doVideosInPlaylistExist (req: express.Request, res: express.Response) {
25 const videoIds = req.query.videoIds.map(i => parseInt(i + '', 10)) 26 const videoIds = req.query.videoIds.map(i => forceNumber(i))
26 const user = res.locals.oauth.token.User 27 const user = res.locals.oauth.token.User
27 28
28 const results = await VideoPlaylistModel.listPlaylistSummariesOf(user.Account.id, videoIds) 29 const results = await VideoPlaylistModel.listPlaylistSummariesOf(user.Account.id, videoIds)
diff --git a/server/controllers/api/video-playlist.ts b/server/controllers/api/video-playlist.ts
index 1255d14c6..67fac3751 100644
--- a/server/controllers/api/video-playlist.ts
+++ b/server/controllers/api/video-playlist.ts
@@ -46,6 +46,7 @@ import {
46import { AccountModel } from '../../models/account/account' 46import { AccountModel } from '../../models/account/account'
47import { VideoPlaylistModel } from '../../models/video/video-playlist' 47import { VideoPlaylistModel } from '../../models/video/video-playlist'
48import { VideoPlaylistElementModel } from '../../models/video/video-playlist-element' 48import { VideoPlaylistElementModel } from '../../models/video/video-playlist-element'
49import { forceNumber } from '@shared/core-utils'
49 50
50const reqThumbnailFile = createReqFiles([ 'thumbnailfile' ], MIMETYPES.IMAGE.MIMETYPE_EXT) 51const reqThumbnailFile = createReqFiles([ 'thumbnailfile' ], MIMETYPES.IMAGE.MIMETYPE_EXT)
51 52
@@ -245,7 +246,7 @@ async function updateVideoPlaylist (req: express.Request, res: express.Response)
245 if (videoPlaylistInfoToUpdate.description !== undefined) videoPlaylistInstance.description = videoPlaylistInfoToUpdate.description 246 if (videoPlaylistInfoToUpdate.description !== undefined) videoPlaylistInstance.description = videoPlaylistInfoToUpdate.description
246 247
247 if (videoPlaylistInfoToUpdate.privacy !== undefined) { 248 if (videoPlaylistInfoToUpdate.privacy !== undefined) {
248 videoPlaylistInstance.privacy = parseInt(videoPlaylistInfoToUpdate.privacy.toString(), 10) 249 videoPlaylistInstance.privacy = forceNumber(videoPlaylistInfoToUpdate.privacy)
249 250
250 if (wasNotPrivatePlaylist === true && videoPlaylistInstance.privacy === VideoPlaylistPrivacy.PRIVATE) { 251 if (wasNotPrivatePlaylist === true && videoPlaylistInstance.privacy === VideoPlaylistPrivacy.PRIVATE) {
251 await sendDeleteVideoPlaylist(videoPlaylistInstance, t) 252 await sendDeleteVideoPlaylist(videoPlaylistInstance, t)
@@ -424,7 +425,7 @@ async function reorderVideosPlaylist (req: express.Request, res: express.Respons
424 425
425 const endOldPosition = oldPosition + reorderLength - 1 426 const endOldPosition = oldPosition + reorderLength - 1
426 // Insert our reordered elements in their place (update) 427 // Insert our reordered elements in their place (update)
427 await VideoPlaylistElementModel.reassignPositionOf(videoPlaylist.id, oldPosition, endOldPosition, newPosition, t) 428 await VideoPlaylistElementModel.reassignPositionOf({ videoPlaylistId: videoPlaylist.id, firstPosition: oldPosition, endPosition: endOldPosition, newPosition, transaction: t })
428 429
429 // Decrease positions of elements after the old position of our ordered elements (decrease) 430 // Decrease positions of elements after the old position of our ordered elements (decrease)
430 await VideoPlaylistElementModel.increasePositionOf(videoPlaylist.id, oldPosition, -reorderLength, t) 431 await VideoPlaylistElementModel.increasePositionOf(videoPlaylist.id, oldPosition, -reorderLength, t)
diff --git a/server/controllers/api/videos/update.ts b/server/controllers/api/videos/update.ts
index 0a910379a..260dee2b9 100644
--- a/server/controllers/api/videos/update.ts
+++ b/server/controllers/api/videos/update.ts
@@ -19,6 +19,7 @@ import { asyncMiddleware, asyncRetryTransactionMiddleware, authenticate, videosU
19import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' 19import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update'
20import { VideoModel } from '../../../models/video/video' 20import { VideoModel } from '../../../models/video/video'
21import { VideoPathManager } from '@server/lib/video-path-manager' 21import { VideoPathManager } from '@server/lib/video-path-manager'
22import { forceNumber } from '@shared/core-utils'
22 23
23const lTags = loggerTagsFactory('api', 'video') 24const lTags = loggerTagsFactory('api', 'video')
24const auditLogger = auditLoggerFactory('videos') 25const auditLogger = auditLoggerFactory('videos')
@@ -174,7 +175,7 @@ async function updateVideoPrivacy (options: {
174 const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options 175 const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options
175 const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) 176 const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy)
176 177
177 const newPrivacy = parseInt(videoInfoToUpdate.privacy.toString(), 10) 178 const newPrivacy = forceNumber(videoInfoToUpdate.privacy)
178 setVideoPrivacy(videoInstance, newPrivacy) 179 setVideoPrivacy(videoInstance, newPrivacy)
179 180
180 // Unfederate the video if the new privacy is not compatible with federation 181 // Unfederate the video if the new privacy is not compatible with federation