aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/helpers/video.ts
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
committerChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
commit4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/helpers/video.ts
parent6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
downloadPeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
Don't inject untrusted input
Even if it's already checked in middlewares It's better to have safe modals too
Diffstat (limited to 'server/helpers/video.ts')
-rw-r--r--server/helpers/video.ts5
1 files changed, 3 insertions, 2 deletions
diff --git a/server/helpers/video.ts b/server/helpers/video.ts
index f5f645d3e..c688ef1e3 100644
--- a/server/helpers/video.ts
+++ b/server/helpers/video.ts
@@ -2,6 +2,7 @@ import { Response } from 'express'
2import { CONFIG } from '@server/initializers/config' 2import { CONFIG } from '@server/initializers/config'
3import { isStreamingPlaylist, MStreamingPlaylistVideo, MVideo } from '@server/types/models' 3import { isStreamingPlaylist, MStreamingPlaylistVideo, MVideo } from '@server/types/models'
4import { VideoPrivacy, VideoState } from '@shared/models' 4import { VideoPrivacy, VideoState } from '@shared/models'
5import { forceNumber } from '@shared/core-utils'
5 6
6function getVideoWithAttributes (res: Response) { 7function getVideoWithAttributes (res: Response) {
7 return res.locals.videoAPI || res.locals.videoAll || res.locals.onlyVideo 8 return res.locals.videoAPI || res.locals.videoAll || res.locals.onlyVideo
@@ -14,14 +15,14 @@ function extractVideo (videoOrPlaylist: MVideo | MStreamingPlaylistVideo) {
14} 15}
15 16
16function isPrivacyForFederation (privacy: VideoPrivacy) { 17function isPrivacyForFederation (privacy: VideoPrivacy) {
17 const castedPrivacy = parseInt(privacy + '', 10) 18 const castedPrivacy = forceNumber(privacy)
18 19
19 return castedPrivacy === VideoPrivacy.PUBLIC || 20 return castedPrivacy === VideoPrivacy.PUBLIC ||
20 (CONFIG.FEDERATION.VIDEOS.FEDERATE_UNLISTED === true && castedPrivacy === VideoPrivacy.UNLISTED) 21 (CONFIG.FEDERATION.VIDEOS.FEDERATE_UNLISTED === true && castedPrivacy === VideoPrivacy.UNLISTED)
21} 22}
22 23
23function isStateForFederation (state: VideoState) { 24function isStateForFederation (state: VideoState) {
24 const castedState = parseInt(state + '', 10) 25 const castedState = forceNumber(state)
25 26
26 return castedState === VideoState.PUBLISHED || castedState === VideoState.WAITING_FOR_LIVE || castedState === VideoState.LIVE_ENDED 27 return castedState === VideoState.PUBLISHED || castedState === VideoState.WAITING_FOR_LIVE || castedState === VideoState.LIVE_ENDED
27} 28}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-29 19:17:42 +0000