Don't inject untrusted input

Even if it's already checked in middlewares It's better to have safe modals too
author: Chocobozzz <me@florianbigard.com> 2022-11-15 14:41:55 +0100
committer: Chocobozzz <me@florianbigard.com> 2022-11-15 14:41:55 +0100
commit: 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree: 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/lib
parent: 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
download: PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/server/lib/activitypub/collection.ts b/server/lib/activitypub/collection.ts
index f897141ea..a176cab51 100644
--- a/server/lib/activitypub/collection.ts
+++ b/server/lib/activitypub/collection.ts
@@ -3,6 +3,7 @@ import validator from 'validator'
 import { pageToStartAndCount } from '@server/helpers/core-utils'
 import { ACTIVITY_PUB } from '@server/initializers/constants'
 import { ResultList } from '@shared/models'
+import { forceNumber } from '@shared/core-utils'
 type ActivityPubCollectionPaginationHandler = (start: number, count: number) => Bluebird<ResultList<any>> | Promise<ResultList<any>>
@@ -33,7 +34,7 @@ async function activityPubCollectionPagination (
  let prev: string | undefined
  // Assert page is a number
-  page = parseInt(page, 10)
+  page = forceNumber(page)
  // There are more results
  if (result.total > page * size) {
author	Chocobozzz <me@florianbigard.com>	2022-11-15 14:41:55 +0100
committer	Chocobozzz <me@florianbigard.com>	2022-11-15 14:41:55 +0100
commit	4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree	3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/lib
parent	6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
download	PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip