diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
| commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
| tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/validators/abuse.ts | |
| parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
| download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip | |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/middlewares/validators/abuse.ts')
| -rw-r--r-- | server/middlewares/validators/abuse.ts | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/server/middlewares/validators/abuse.ts b/server/middlewares/validators/abuse.ts index 9b94008ce..70bae1775 100644 --- a/server/middlewares/validators/abuse.ts +++ b/server/middlewares/validators/abuse.ts | |||
| @@ -18,6 +18,7 @@ import { AbuseMessageModel } from '@server/models/abuse/abuse-message' | |||
| 18 | import { AbuseCreate, UserRight } from '@shared/models' | 18 | import { AbuseCreate, UserRight } from '@shared/models' |
| 19 | import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' | 19 | import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' |
| 20 | import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared' | 20 | import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared' |
| 21 | import { forceNumber } from '@shared/core-utils' | ||
| 21 | 22 | ||
| 22 | const abuseReportValidator = [ | 23 | const abuseReportValidator = [ |
| 23 | body('account.id') | 24 | body('account.id') |
| @@ -216,7 +217,7 @@ const deleteAbuseMessageValidator = [ | |||
| 216 | const user = res.locals.oauth.token.user | 217 | const user = res.locals.oauth.token.user |
| 217 | const abuse = res.locals.abuse | 218 | const abuse = res.locals.abuse |
| 218 | 219 | ||
| 219 | const messageId = parseInt(req.params.messageId + '', 10) | 220 | const messageId = forceNumber(req.params.messageId) |
| 220 | const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id) | 221 | const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id) |
| 221 | 222 | ||
| 222 | if (!abuseMessage) { | 223 | if (!abuseMessage) { |