diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
| commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
| tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/validators/shared | |
| parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
| download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip | |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/middlewares/validators/shared')
5 files changed, 13 insertions, 8 deletions
diff --git a/server/middlewares/validators/shared/abuses.ts b/server/middlewares/validators/shared/abuses.ts index 2b8d86ba5..2c988f9ec 100644 --- a/server/middlewares/validators/shared/abuses.ts +++ b/server/middlewares/validators/shared/abuses.ts | |||
| @@ -1,9 +1,10 @@ | |||
| 1 | import { Response } from 'express' | 1 | import { Response } from 'express' |
| 2 | import { AbuseModel } from '@server/models/abuse/abuse' | 2 | import { AbuseModel } from '@server/models/abuse/abuse' |
| 3 | import { HttpStatusCode } from '@shared/models' | 3 | import { HttpStatusCode } from '@shared/models' |
| 4 | import { forceNumber } from '@shared/core-utils' | ||
| 4 | 5 | ||
| 5 | async function doesAbuseExist (abuseId: number | string, res: Response) { | 6 | async function doesAbuseExist (abuseId: number | string, res: Response) { |
| 6 | const abuse = await AbuseModel.loadByIdWithReporter(parseInt(abuseId + '', 10)) | 7 | const abuse = await AbuseModel.loadByIdWithReporter(forceNumber(abuseId)) |
| 7 | 8 | ||
| 8 | if (!abuse) { | 9 | if (!abuse) { |
| 9 | res.fail({ | 10 | res.fail({ |
diff --git a/server/middlewares/validators/shared/accounts.ts b/server/middlewares/validators/shared/accounts.ts index fe4f83aa0..72b0e235e 100644 --- a/server/middlewares/validators/shared/accounts.ts +++ b/server/middlewares/validators/shared/accounts.ts | |||
| @@ -2,10 +2,11 @@ import { Response } from 'express' | |||
| 2 | import { AccountModel } from '@server/models/account/account' | 2 | import { AccountModel } from '@server/models/account/account' |
| 3 | import { UserModel } from '@server/models/user/user' | 3 | import { UserModel } from '@server/models/user/user' |
| 4 | import { MAccountDefault } from '@server/types/models' | 4 | import { MAccountDefault } from '@server/types/models' |
| 5 | import { forceNumber } from '@shared/core-utils' | ||
| 5 | import { HttpStatusCode } from '@shared/models' | 6 | import { HttpStatusCode } from '@shared/models' |
| 6 | 7 | ||
| 7 | function doesAccountIdExist (id: number | string, res: Response, sendNotFound = true) { | 8 | function doesAccountIdExist (id: number | string, res: Response, sendNotFound = true) { |
| 8 | const promise = AccountModel.load(parseInt(id + '', 10)) | 9 | const promise = AccountModel.load(forceNumber(id)) |
| 9 | 10 | ||
| 10 | return doesAccountExist(promise, res, sendNotFound) | 11 | return doesAccountExist(promise, res, sendNotFound) |
| 11 | } | 12 | } |
| @@ -40,7 +41,7 @@ async function doesAccountExist (p: Promise<MAccountDefault>, res: Response, sen | |||
| 40 | } | 41 | } |
| 41 | 42 | ||
| 42 | async function doesUserFeedTokenCorrespond (id: number, token: string, res: Response) { | 43 | async function doesUserFeedTokenCorrespond (id: number, token: string, res: Response) { |
| 43 | const user = await UserModel.loadByIdWithChannels(parseInt(id + '', 10)) | 44 | const user = await UserModel.loadByIdWithChannels(forceNumber(id)) |
| 44 | 45 | ||
| 45 | if (token !== user.feedToken) { | 46 | if (token !== user.feedToken) { |
| 46 | res.fail({ | 47 | res.fail({ |
diff --git a/server/middlewares/validators/shared/users.ts b/server/middlewares/validators/shared/users.ts index fbaa7db0e..b8f1436d3 100644 --- a/server/middlewares/validators/shared/users.ts +++ b/server/middlewares/validators/shared/users.ts | |||
| @@ -2,10 +2,11 @@ import express from 'express' | |||
| 2 | import { ActorModel } from '@server/models/actor/actor' | 2 | import { ActorModel } from '@server/models/actor/actor' |
| 3 | import { UserModel } from '@server/models/user/user' | 3 | import { UserModel } from '@server/models/user/user' |
| 4 | import { MUserDefault } from '@server/types/models' | 4 | import { MUserDefault } from '@server/types/models' |
| 5 | import { forceNumber } from '@shared/core-utils' | ||
| 5 | import { HttpStatusCode } from '@shared/models' | 6 | import { HttpStatusCode } from '@shared/models' |
| 6 | 7 | ||
| 7 | function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) { | 8 | function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) { |
| 8 | const id = parseInt(idArg + '', 10) | 9 | const id = forceNumber(idArg) |
| 9 | return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res) | 10 | return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res) |
| 10 | } | 11 | } |
| 11 | 12 | ||
diff --git a/server/middlewares/validators/shared/video-comments.ts b/server/middlewares/validators/shared/video-comments.ts index 8d1a16294..0961b3ec9 100644 --- a/server/middlewares/validators/shared/video-comments.ts +++ b/server/middlewares/validators/shared/video-comments.ts | |||
| @@ -1,10 +1,11 @@ | |||
| 1 | import express from 'express' | 1 | import express from 'express' |
| 2 | import { VideoCommentModel } from '@server/models/video/video-comment' | 2 | import { VideoCommentModel } from '@server/models/video/video-comment' |
| 3 | import { MVideoId } from '@server/types/models' | 3 | import { MVideoId } from '@server/types/models' |
| 4 | import { forceNumber } from '@shared/core-utils' | ||
| 4 | import { HttpStatusCode, ServerErrorCode } from '@shared/models' | 5 | import { HttpStatusCode, ServerErrorCode } from '@shared/models' |
| 5 | 6 | ||
| 6 | async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) { | 7 | async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) { |
| 7 | const id = parseInt(idArg + '', 10) | 8 | const id = forceNumber(idArg) |
| 8 | const videoComment = await VideoCommentModel.loadById(id) | 9 | const videoComment = await VideoCommentModel.loadById(id) |
| 9 | 10 | ||
| 10 | if (!videoComment) { | 11 | if (!videoComment) { |
| @@ -33,7 +34,7 @@ async function doesVideoCommentThreadExist (idArg: number | string, video: MVide | |||
| 33 | } | 34 | } |
| 34 | 35 | ||
| 35 | async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) { | 36 | async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) { |
| 36 | const id = parseInt(idArg + '', 10) | 37 | const id = forceNumber(idArg) |
| 37 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) | 38 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) |
| 38 | 39 | ||
| 39 | if (!videoComment) { | 40 | if (!videoComment) { |
| @@ -57,7 +58,7 @@ async function doesVideoCommentExist (idArg: number | string, video: MVideoId, r | |||
| 57 | } | 58 | } |
| 58 | 59 | ||
| 59 | async function doesCommentIdExist (idArg: number | string, res: express.Response) { | 60 | async function doesCommentIdExist (idArg: number | string, res: express.Response) { |
| 60 | const id = parseInt(idArg + '', 10) | 61 | const id = forceNumber(idArg) |
| 61 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) | 62 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) |
| 62 | 63 | ||
| 63 | if (!videoComment) { | 64 | if (!videoComment) { |
diff --git a/server/middlewares/validators/shared/video-ownerships.ts b/server/middlewares/validators/shared/video-ownerships.ts index 680613cda..33ac9c8b6 100644 --- a/server/middlewares/validators/shared/video-ownerships.ts +++ b/server/middlewares/validators/shared/video-ownerships.ts | |||
| @@ -1,9 +1,10 @@ | |||
| 1 | import express from 'express' | 1 | import express from 'express' |
| 2 | import { VideoChangeOwnershipModel } from '@server/models/video/video-change-ownership' | 2 | import { VideoChangeOwnershipModel } from '@server/models/video/video-change-ownership' |
| 3 | import { forceNumber } from '@shared/core-utils' | ||
| 3 | import { HttpStatusCode } from '@shared/models' | 4 | import { HttpStatusCode } from '@shared/models' |
| 4 | 5 | ||
| 5 | async function doesChangeVideoOwnershipExist (idArg: number | string, res: express.Response) { | 6 | async function doesChangeVideoOwnershipExist (idArg: number | string, res: express.Response) { |
| 6 | const id = parseInt(idArg + '', 10) | 7 | const id = forceNumber(idArg) |
| 7 | const videoChangeOwnership = await VideoChangeOwnershipModel.load(id) | 8 | const videoChangeOwnership = await VideoChangeOwnershipModel.load(id) |
| 8 | 9 | ||
| 9 | if (!videoChangeOwnership) { | 10 | if (!videoChangeOwnership) { |