diff options
author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/pagination.ts | |
parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/middlewares/pagination.ts')
-rw-r--r-- | server/middlewares/pagination.ts | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/server/middlewares/pagination.ts b/server/middlewares/pagination.ts index 9812af9e4..17e43f743 100644 --- a/server/middlewares/pagination.ts +++ b/server/middlewares/pagination.ts | |||
@@ -1,12 +1,13 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { forceNumber } from '@shared/core-utils' | ||
2 | import { PAGINATION } from '../initializers/constants' | 3 | import { PAGINATION } from '../initializers/constants' |
3 | 4 | ||
4 | function setDefaultPagination (req: express.Request, res: express.Response, next: express.NextFunction) { | 5 | function setDefaultPagination (req: express.Request, res: express.Response, next: express.NextFunction) { |
5 | if (!req.query.start) req.query.start = 0 | 6 | if (!req.query.start) req.query.start = 0 |
6 | else req.query.start = parseInt(req.query.start, 10) | 7 | else req.query.start = forceNumber(req.query.start) |
7 | 8 | ||
8 | if (!req.query.count) req.query.count = PAGINATION.GLOBAL.COUNT.DEFAULT | 9 | if (!req.query.count) req.query.count = PAGINATION.GLOBAL.COUNT.DEFAULT |
9 | else req.query.count = parseInt(req.query.count, 10) | 10 | else req.query.count = forceNumber(req.query.count) |
10 | 11 | ||
11 | return next() | 12 | return next() |
12 | } | 13 | } |