aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators/users.ts
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
committerChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
commit4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/validators/users.ts
parent6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
downloadPeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
Don't inject untrusted input
Even if it's already checked in middlewares It's better to have safe modals too
Diffstat (limited to 'server/middlewares/validators/users.ts')
-rw-r--r--server/middlewares/validators/users.ts3
1 files changed, 2 insertions, 1 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 055af3b64..50327b6ae 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -1,6 +1,7 @@
1import express from 'express' 1import express from 'express'
2import { body, param, query } from 'express-validator' 2import { body, param, query } from 'express-validator'
3import { Hooks } from '@server/lib/plugins/hooks' 3import { Hooks } from '@server/lib/plugins/hooks'
4import { forceNumber } from '@shared/core-utils'
4import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models' 5import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
5import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc' 6import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
6import { isThemeNameValid } from '../../helpers/custom-validators/plugins' 7import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
@@ -515,7 +516,7 @@ const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Requ
515 516
516 const user = res.locals.oauth.token.User 517 const user = res.locals.oauth.token.User
517 const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR 518 const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR
518 const targetUserId = parseInt(targetUserIdGetter(req) + '') 519 const targetUserId = forceNumber(targetUserIdGetter(req))
519 520
520 // Admin/moderator action on another user, skip the password check 521 // Admin/moderator action on another user, skip the password check
521 if (isAdminOrModerator && targetUserId !== user.id) { 522 if (isAdminOrModerator && targetUserId !== user.id) {