diff options
author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/api | |
parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/controllers/api')
-rw-r--r-- | server/controllers/api/users/my-history.ts | 3 | ||||
-rw-r--r-- | server/controllers/api/users/my-video-playlists.ts | 5 | ||||
-rw-r--r-- | server/controllers/api/video-playlist.ts | 5 | ||||
-rw-r--r-- | server/controllers/api/videos/update.ts | 3 |
4 files changed, 10 insertions, 6 deletions
diff --git a/server/controllers/api/users/my-history.ts b/server/controllers/api/users/my-history.ts index bc5b40f59..e6d3e86ac 100644 --- a/server/controllers/api/users/my-history.ts +++ b/server/controllers/api/users/my-history.ts | |||
@@ -1,3 +1,4 @@ | |||
1 | import { forceNumber } from '@shared/core-utils' | ||
1 | import express from 'express' | 2 | import express from 'express' |
2 | import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes' | 3 | import { HttpStatusCode } from '../../../../shared/models/http/http-error-codes' |
3 | import { getFormattedObjects } from '../../../helpers/utils' | 4 | import { getFormattedObjects } from '../../../helpers/utils' |
@@ -55,7 +56,7 @@ async function listMyVideosHistory (req: express.Request, res: express.Response) | |||
55 | async function removeUserHistoryElement (req: express.Request, res: express.Response) { | 56 | async function removeUserHistoryElement (req: express.Request, res: express.Response) { |
56 | const user = res.locals.oauth.token.User | 57 | const user = res.locals.oauth.token.User |
57 | 58 | ||
58 | await UserVideoHistoryModel.removeUserHistoryElement(user, parseInt(req.params.videoId + '')) | 59 | await UserVideoHistoryModel.removeUserHistoryElement(user, forceNumber(req.params.videoId)) |
59 | 60 | ||
60 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) | 61 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) |
61 | } | 62 | } |
diff --git a/server/controllers/api/users/my-video-playlists.ts b/server/controllers/api/users/my-video-playlists.ts index 715717610..fbdbb7e50 100644 --- a/server/controllers/api/users/my-video-playlists.ts +++ b/server/controllers/api/users/my-video-playlists.ts | |||
@@ -1,5 +1,6 @@ | |||
1 | import { uuidToShort } from '@shared/extra-utils' | ||
2 | import express from 'express' | 1 | import express from 'express' |
2 | import { forceNumber } from '@shared/core-utils' | ||
3 | import { uuidToShort } from '@shared/extra-utils' | ||
3 | import { VideosExistInPlaylists } from '../../../../shared/models/videos/playlist/video-exist-in-playlist.model' | 4 | import { VideosExistInPlaylists } from '../../../../shared/models/videos/playlist/video-exist-in-playlist.model' |
4 | import { asyncMiddleware, authenticate } from '../../../middlewares' | 5 | import { asyncMiddleware, authenticate } from '../../../middlewares' |
5 | import { doVideosInPlaylistExistValidator } from '../../../middlewares/validators/videos/video-playlists' | 6 | import { doVideosInPlaylistExistValidator } from '../../../middlewares/validators/videos/video-playlists' |
@@ -22,7 +23,7 @@ export { | |||
22 | // --------------------------------------------------------------------------- | 23 | // --------------------------------------------------------------------------- |
23 | 24 | ||
24 | async function doVideosInPlaylistExist (req: express.Request, res: express.Response) { | 25 | async function doVideosInPlaylistExist (req: express.Request, res: express.Response) { |
25 | const videoIds = req.query.videoIds.map(i => parseInt(i + '', 10)) | 26 | const videoIds = req.query.videoIds.map(i => forceNumber(i)) |
26 | const user = res.locals.oauth.token.User | 27 | const user = res.locals.oauth.token.User |
27 | 28 | ||
28 | const results = await VideoPlaylistModel.listPlaylistSummariesOf(user.Account.id, videoIds) | 29 | const results = await VideoPlaylistModel.listPlaylistSummariesOf(user.Account.id, videoIds) |
diff --git a/server/controllers/api/video-playlist.ts b/server/controllers/api/video-playlist.ts index 1255d14c6..67fac3751 100644 --- a/server/controllers/api/video-playlist.ts +++ b/server/controllers/api/video-playlist.ts | |||
@@ -46,6 +46,7 @@ import { | |||
46 | import { AccountModel } from '../../models/account/account' | 46 | import { AccountModel } from '../../models/account/account' |
47 | import { VideoPlaylistModel } from '../../models/video/video-playlist' | 47 | import { VideoPlaylistModel } from '../../models/video/video-playlist' |
48 | import { VideoPlaylistElementModel } from '../../models/video/video-playlist-element' | 48 | import { VideoPlaylistElementModel } from '../../models/video/video-playlist-element' |
49 | import { forceNumber } from '@shared/core-utils' | ||
49 | 50 | ||
50 | const reqThumbnailFile = createReqFiles([ 'thumbnailfile' ], MIMETYPES.IMAGE.MIMETYPE_EXT) | 51 | const reqThumbnailFile = createReqFiles([ 'thumbnailfile' ], MIMETYPES.IMAGE.MIMETYPE_EXT) |
51 | 52 | ||
@@ -245,7 +246,7 @@ async function updateVideoPlaylist (req: express.Request, res: express.Response) | |||
245 | if (videoPlaylistInfoToUpdate.description !== undefined) videoPlaylistInstance.description = videoPlaylistInfoToUpdate.description | 246 | if (videoPlaylistInfoToUpdate.description !== undefined) videoPlaylistInstance.description = videoPlaylistInfoToUpdate.description |
246 | 247 | ||
247 | if (videoPlaylistInfoToUpdate.privacy !== undefined) { | 248 | if (videoPlaylistInfoToUpdate.privacy !== undefined) { |
248 | videoPlaylistInstance.privacy = parseInt(videoPlaylistInfoToUpdate.privacy.toString(), 10) | 249 | videoPlaylistInstance.privacy = forceNumber(videoPlaylistInfoToUpdate.privacy) |
249 | 250 | ||
250 | if (wasNotPrivatePlaylist === true && videoPlaylistInstance.privacy === VideoPlaylistPrivacy.PRIVATE) { | 251 | if (wasNotPrivatePlaylist === true && videoPlaylistInstance.privacy === VideoPlaylistPrivacy.PRIVATE) { |
251 | await sendDeleteVideoPlaylist(videoPlaylistInstance, t) | 252 | await sendDeleteVideoPlaylist(videoPlaylistInstance, t) |
@@ -424,7 +425,7 @@ async function reorderVideosPlaylist (req: express.Request, res: express.Respons | |||
424 | 425 | ||
425 | const endOldPosition = oldPosition + reorderLength - 1 | 426 | const endOldPosition = oldPosition + reorderLength - 1 |
426 | // Insert our reordered elements in their place (update) | 427 | // Insert our reordered elements in their place (update) |
427 | await VideoPlaylistElementModel.reassignPositionOf(videoPlaylist.id, oldPosition, endOldPosition, newPosition, t) | 428 | await VideoPlaylistElementModel.reassignPositionOf({ videoPlaylistId: videoPlaylist.id, firstPosition: oldPosition, endPosition: endOldPosition, newPosition, transaction: t }) |
428 | 429 | ||
429 | // Decrease positions of elements after the old position of our ordered elements (decrease) | 430 | // Decrease positions of elements after the old position of our ordered elements (decrease) |
430 | await VideoPlaylistElementModel.increasePositionOf(videoPlaylist.id, oldPosition, -reorderLength, t) | 431 | await VideoPlaylistElementModel.increasePositionOf(videoPlaylist.id, oldPosition, -reorderLength, t) |
diff --git a/server/controllers/api/videos/update.ts b/server/controllers/api/videos/update.ts index 0a910379a..260dee2b9 100644 --- a/server/controllers/api/videos/update.ts +++ b/server/controllers/api/videos/update.ts | |||
@@ -19,6 +19,7 @@ import { asyncMiddleware, asyncRetryTransactionMiddleware, authenticate, videosU | |||
19 | import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' | 19 | import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' |
20 | import { VideoModel } from '../../../models/video/video' | 20 | import { VideoModel } from '../../../models/video/video' |
21 | import { VideoPathManager } from '@server/lib/video-path-manager' | 21 | import { VideoPathManager } from '@server/lib/video-path-manager' |
22 | import { forceNumber } from '@shared/core-utils' | ||
22 | 23 | ||
23 | const lTags = loggerTagsFactory('api', 'video') | 24 | const lTags = loggerTagsFactory('api', 'video') |
24 | const auditLogger = auditLoggerFactory('videos') | 25 | const auditLogger = auditLoggerFactory('videos') |
@@ -174,7 +175,7 @@ async function updateVideoPrivacy (options: { | |||
174 | const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options | 175 | const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options |
175 | const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) | 176 | const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) |
176 | 177 | ||
177 | const newPrivacy = parseInt(videoInfoToUpdate.privacy.toString(), 10) | 178 | const newPrivacy = forceNumber(videoInfoToUpdate.privacy) |
178 | setVideoPrivacy(videoInstance, newPrivacy) | 179 | setVideoPrivacy(videoInstance, newPrivacy) |
179 | 180 | ||
180 | // Unfederate the video if the new privacy is not compatible with federation | 181 | // Unfederate the video if the new privacy is not compatible with federation |