Don't inject untrusted input

Even if it's already checked in middlewares It's better to have safe modals too
author: Chocobozzz <me@florianbigard.com> 2022-11-15 14:41:55 +0100
committer: Chocobozzz <me@florianbigard.com> 2022-11-15 14:41:55 +0100
commit: 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree: 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/download.ts
parent: 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
download: PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/server/controllers/download.ts b/server/controllers/download.ts
index d9f34109f..65b9a1d1b 100644
--- a/server/controllers/download.ts
+++ b/server/controllers/download.ts
@@ -5,7 +5,7 @@ import { VideosTorrentCache } from '@server/lib/files-cache/videos-torrent-cache
 import { Hooks } from '@server/lib/plugins/hooks'
 import { VideoPathManager } from '@server/lib/video-path-manager'
 import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'
-import { addQueryParams } from '@shared/core-utils'
+import { addQueryParams, forceNumber } from '@shared/core-utils'
 import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'
 import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'
 import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'
@@ -132,7 +132,7 @@ async function downloadHLSVideoFile (req: express.Request, res: express.Response
 }
 function getVideoFile (req: express.Request, files: MVideoFile[]) {
-  const resolution = parseInt(req.params.resolution, 10)
+  const resolution = forceNumber(req.params.resolution)
  return files.find(f => f.resolution === resolution)
 }
author	Chocobozzz <me@florianbigard.com>	2022-11-15 14:41:55 +0100
committer	Chocobozzz <me@florianbigard.com>	2022-11-15 14:41:55 +0100
commit	4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree	3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/controllers/download.ts
parent	6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
download	PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip

diff --git a/server/controllers/download.ts b/server/controllers/download.ts index d9f34109f..65b9a1d1b 100644 --- a/server/controllers/download.ts +++ b/server/controllers/download.ts
@@ -5,7 +5,7 @@ import { VideosTorrentCache } from '@server/lib/files-cache/videos-torrent-cache
5	import { Hooks } from '@server/lib/plugins/hooks'	5	import { Hooks } from '@server/lib/plugins/hooks'
6	import { VideoPathManager } from '@server/lib/video-path-manager'	6	import { VideoPathManager } from '@server/lib/video-path-manager'
7	import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'	7	import { MStreamingPlaylist, MVideo, MVideoFile, MVideoFullLight } from '@server/types/models'
8	import { addQueryParams } from '@shared/core-utils'	8	import { addQueryParams, forceNumber } from '@shared/core-utils'
9	import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'	9	import { HttpStatusCode, VideoStorage, VideoStreamingPlaylistType } from '@shared/models'
10	import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'	10	import { STATIC_DOWNLOAD_PATHS } from '../initializers/constants'
11	import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'	11	import { asyncMiddleware, optionalAuthenticate, videosDownloadValidator } from '../middlewares'
@@ -132,7 +132,7 @@ async function downloadHLSVideoFile (req: express.Request, res: express.Response
132	}	132	}
133		133
134	function getVideoFile (req: express.Request, files: MVideoFile[]) {	134	function getVideoFile (req: express.Request, files: MVideoFile[]) {
135	const resolution = parseInt(req.params.resolution, 10)	135	const resolution = forceNumber(req.params.resolution)
136	return files.find(f => f.resolution === resolution)	136	return files.find(f => f.resolution === resolution)
137	}	137	}
138		138