aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares/validators/videos
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
committerChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
commit4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/validators/videos
parent6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
downloadPeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
Don't inject untrusted input
Even if it's already checked in middlewares It's better to have safe modals too
Diffstat (limited to 'server/middlewares/validators/videos')
-rw-r--r--server/middlewares/validators/videos/video-imports.ts3
-rw-r--r--server/middlewares/validators/videos/video-playlists.ts3
2 files changed, 4 insertions, 2 deletions
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index f295b1885..72442aeb6 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -4,6 +4,7 @@ import { isResolvingToUnicastOnly } from '@server/helpers/dns'
4import { isPreImportVideoAccepted } from '@server/lib/moderation' 4import { isPreImportVideoAccepted } from '@server/lib/moderation'
5import { Hooks } from '@server/lib/plugins/hooks' 5import { Hooks } from '@server/lib/plugins/hooks'
6import { MUserAccountId, MVideoImport } from '@server/types/models' 6import { MUserAccountId, MVideoImport } from '@server/types/models'
7import { forceNumber } from '@shared/core-utils'
7import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models' 8import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models'
8import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model' 9import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model'
9import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc' 10import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc'
@@ -130,7 +131,7 @@ const videoImportCancelValidator = [
130 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 131 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
131 if (areValidationErrors(req, res)) return 132 if (areValidationErrors(req, res)) return
132 133
133 if (!await doesVideoImportExist(parseInt(req.params.id), res)) return 134 if (!await doesVideoImportExist(forceNumber(req.params.id), res)) return
134 if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return 135 if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return
135 136
136 if (res.locals.videoImport.state !== VideoImportState.PENDING) { 137 if (res.locals.videoImport.state !== VideoImportState.PENDING) {
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 6d4b8a6f1..e4b7e5c56 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -2,6 +2,7 @@ import express from 'express'
2import { body, param, query, ValidationChain } from 'express-validator' 2import { body, param, query, ValidationChain } from 'express-validator'
3import { ExpressPromiseHandler } from '@server/types/express-handler' 3import { ExpressPromiseHandler } from '@server/types/express-handler'
4import { MUserAccountId } from '@server/types/models' 4import { MUserAccountId } from '@server/types/models'
5import { forceNumber } from '@shared/core-utils'
5import { 6import {
6 HttpStatusCode, 7 HttpStatusCode,
7 UserRight, 8 UserRight,
@@ -258,7 +259,7 @@ const videoPlaylistElementAPGetValidator = [
258 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 259 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
259 if (areValidationErrors(req, res)) return 260 if (areValidationErrors(req, res)) return
260 261
261 const playlistElementId = parseInt(req.params.playlistElementId + '', 10) 262 const playlistElementId = forceNumber(req.params.playlistElementId)
262 const playlistId = req.params.playlistId 263 const playlistId = req.params.playlistId
263 264
264 const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId) 265 const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId)