diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
| commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
| tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/validators/users.ts | |
| parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
| download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip | |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/middlewares/validators/users.ts')
| -rw-r--r-- | server/middlewares/validators/users.ts | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 055af3b64..50327b6ae 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | import express from 'express' | 1 | import express from 'express' |
| 2 | import { body, param, query } from 'express-validator' | 2 | import { body, param, query } from 'express-validator' |
| 3 | import { Hooks } from '@server/lib/plugins/hooks' | 3 | import { Hooks } from '@server/lib/plugins/hooks' |
| 4 | import { forceNumber } from '@shared/core-utils' | ||
| 4 | import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models' | 5 | import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models' |
| 5 | import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc' | 6 | import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc' |
| 6 | import { isThemeNameValid } from '../../helpers/custom-validators/plugins' | 7 | import { isThemeNameValid } from '../../helpers/custom-validators/plugins' |
| @@ -515,7 +516,7 @@ const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Requ | |||
| 515 | 516 | ||
| 516 | const user = res.locals.oauth.token.User | 517 | const user = res.locals.oauth.token.User |
| 517 | const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR | 518 | const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR |
| 518 | const targetUserId = parseInt(targetUserIdGetter(req) + '') | 519 | const targetUserId = forceNumber(targetUserIdGetter(req)) |
| 519 | 520 | ||
| 520 | // Admin/moderator action on another user, skip the password check | 521 | // Admin/moderator action on another user, skip the password check |
| 521 | if (isAdminOrModerator && targetUserId !== user.id) { | 522 | if (isAdminOrModerator && targetUserId !== user.id) { |