diff options
author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/validators/videos | |
parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/middlewares/validators/videos')
-rw-r--r-- | server/middlewares/validators/videos/video-imports.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/videos/video-playlists.ts | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts index f295b1885..72442aeb6 100644 --- a/server/middlewares/validators/videos/video-imports.ts +++ b/server/middlewares/validators/videos/video-imports.ts | |||
@@ -4,6 +4,7 @@ import { isResolvingToUnicastOnly } from '@server/helpers/dns' | |||
4 | import { isPreImportVideoAccepted } from '@server/lib/moderation' | 4 | import { isPreImportVideoAccepted } from '@server/lib/moderation' |
5 | import { Hooks } from '@server/lib/plugins/hooks' | 5 | import { Hooks } from '@server/lib/plugins/hooks' |
6 | import { MUserAccountId, MVideoImport } from '@server/types/models' | 6 | import { MUserAccountId, MVideoImport } from '@server/types/models' |
7 | import { forceNumber } from '@shared/core-utils' | ||
7 | import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models' | 8 | import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models' |
8 | import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model' | 9 | import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model' |
9 | import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc' | 10 | import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc' |
@@ -130,7 +131,7 @@ const videoImportCancelValidator = [ | |||
130 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 131 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
131 | if (areValidationErrors(req, res)) return | 132 | if (areValidationErrors(req, res)) return |
132 | 133 | ||
133 | if (!await doesVideoImportExist(parseInt(req.params.id), res)) return | 134 | if (!await doesVideoImportExist(forceNumber(req.params.id), res)) return |
134 | if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return | 135 | if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return |
135 | 136 | ||
136 | if (res.locals.videoImport.state !== VideoImportState.PENDING) { | 137 | if (res.locals.videoImport.state !== VideoImportState.PENDING) { |
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts index 6d4b8a6f1..e4b7e5c56 100644 --- a/server/middlewares/validators/videos/video-playlists.ts +++ b/server/middlewares/validators/videos/video-playlists.ts | |||
@@ -2,6 +2,7 @@ import express from 'express' | |||
2 | import { body, param, query, ValidationChain } from 'express-validator' | 2 | import { body, param, query, ValidationChain } from 'express-validator' |
3 | import { ExpressPromiseHandler } from '@server/types/express-handler' | 3 | import { ExpressPromiseHandler } from '@server/types/express-handler' |
4 | import { MUserAccountId } from '@server/types/models' | 4 | import { MUserAccountId } from '@server/types/models' |
5 | import { forceNumber } from '@shared/core-utils' | ||
5 | import { | 6 | import { |
6 | HttpStatusCode, | 7 | HttpStatusCode, |
7 | UserRight, | 8 | UserRight, |
@@ -258,7 +259,7 @@ const videoPlaylistElementAPGetValidator = [ | |||
258 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 259 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
259 | if (areValidationErrors(req, res)) return | 260 | if (areValidationErrors(req, res)) return |
260 | 261 | ||
261 | const playlistElementId = parseInt(req.params.playlistElementId + '', 10) | 262 | const playlistElementId = forceNumber(req.params.playlistElementId) |
262 | const playlistId = req.params.playlistId | 263 | const playlistId = req.params.playlistId |
263 | 264 | ||
264 | const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId) | 265 | const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId) |