diff options
author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares/validators | |
parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/middlewares/validators')
-rw-r--r-- | server/middlewares/validators/abuse.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/redundancy.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/shared/abuses.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/shared/accounts.ts | 5 | ||||
-rw-r--r-- | server/middlewares/validators/shared/users.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/shared/video-comments.ts | 7 | ||||
-rw-r--r-- | server/middlewares/validators/shared/video-ownerships.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/users.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/videos/video-imports.ts | 3 | ||||
-rw-r--r-- | server/middlewares/validators/videos/video-playlists.ts | 3 |
10 files changed, 23 insertions, 13 deletions
diff --git a/server/middlewares/validators/abuse.ts b/server/middlewares/validators/abuse.ts index 9b94008ce..70bae1775 100644 --- a/server/middlewares/validators/abuse.ts +++ b/server/middlewares/validators/abuse.ts | |||
@@ -18,6 +18,7 @@ import { AbuseMessageModel } from '@server/models/abuse/abuse-message' | |||
18 | import { AbuseCreate, UserRight } from '@shared/models' | 18 | import { AbuseCreate, UserRight } from '@shared/models' |
19 | import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' | 19 | import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' |
20 | import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared' | 20 | import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared' |
21 | import { forceNumber } from '@shared/core-utils' | ||
21 | 22 | ||
22 | const abuseReportValidator = [ | 23 | const abuseReportValidator = [ |
23 | body('account.id') | 24 | body('account.id') |
@@ -216,7 +217,7 @@ const deleteAbuseMessageValidator = [ | |||
216 | const user = res.locals.oauth.token.user | 217 | const user = res.locals.oauth.token.user |
217 | const abuse = res.locals.abuse | 218 | const abuse = res.locals.abuse |
218 | 219 | ||
219 | const messageId = parseInt(req.params.messageId + '', 10) | 220 | const messageId = forceNumber(req.params.messageId) |
220 | const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id) | 221 | const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id) |
221 | 222 | ||
222 | if (!abuseMessage) { | 223 | if (!abuseMessage) { |
diff --git a/server/middlewares/validators/redundancy.ts b/server/middlewares/validators/redundancy.ts index 79460f63c..c80f9b728 100644 --- a/server/middlewares/validators/redundancy.ts +++ b/server/middlewares/validators/redundancy.ts | |||
@@ -1,6 +1,7 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { body, param, query } from 'express-validator' | 2 | import { body, param, query } from 'express-validator' |
3 | import { isVideoRedundancyTarget } from '@server/helpers/custom-validators/video-redundancies' | 3 | import { isVideoRedundancyTarget } from '@server/helpers/custom-validators/video-redundancies' |
4 | import { forceNumber } from '@shared/core-utils' | ||
4 | import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' | 5 | import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' |
5 | import { | 6 | import { |
6 | exists, | 7 | exists, |
@@ -171,7 +172,7 @@ const removeVideoRedundancyValidator = [ | |||
171 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 172 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
172 | if (areValidationErrors(req, res)) return | 173 | if (areValidationErrors(req, res)) return |
173 | 174 | ||
174 | const redundancy = await VideoRedundancyModel.loadByIdWithVideo(parseInt(req.params.redundancyId, 10)) | 175 | const redundancy = await VideoRedundancyModel.loadByIdWithVideo(forceNumber(req.params.redundancyId)) |
175 | if (!redundancy) { | 176 | if (!redundancy) { |
176 | return res.fail({ | 177 | return res.fail({ |
177 | status: HttpStatusCode.NOT_FOUND_404, | 178 | status: HttpStatusCode.NOT_FOUND_404, |
diff --git a/server/middlewares/validators/shared/abuses.ts b/server/middlewares/validators/shared/abuses.ts index 2b8d86ba5..2c988f9ec 100644 --- a/server/middlewares/validators/shared/abuses.ts +++ b/server/middlewares/validators/shared/abuses.ts | |||
@@ -1,9 +1,10 @@ | |||
1 | import { Response } from 'express' | 1 | import { Response } from 'express' |
2 | import { AbuseModel } from '@server/models/abuse/abuse' | 2 | import { AbuseModel } from '@server/models/abuse/abuse' |
3 | import { HttpStatusCode } from '@shared/models' | 3 | import { HttpStatusCode } from '@shared/models' |
4 | import { forceNumber } from '@shared/core-utils' | ||
4 | 5 | ||
5 | async function doesAbuseExist (abuseId: number | string, res: Response) { | 6 | async function doesAbuseExist (abuseId: number | string, res: Response) { |
6 | const abuse = await AbuseModel.loadByIdWithReporter(parseInt(abuseId + '', 10)) | 7 | const abuse = await AbuseModel.loadByIdWithReporter(forceNumber(abuseId)) |
7 | 8 | ||
8 | if (!abuse) { | 9 | if (!abuse) { |
9 | res.fail({ | 10 | res.fail({ |
diff --git a/server/middlewares/validators/shared/accounts.ts b/server/middlewares/validators/shared/accounts.ts index fe4f83aa0..72b0e235e 100644 --- a/server/middlewares/validators/shared/accounts.ts +++ b/server/middlewares/validators/shared/accounts.ts | |||
@@ -2,10 +2,11 @@ import { Response } from 'express' | |||
2 | import { AccountModel } from '@server/models/account/account' | 2 | import { AccountModel } from '@server/models/account/account' |
3 | import { UserModel } from '@server/models/user/user' | 3 | import { UserModel } from '@server/models/user/user' |
4 | import { MAccountDefault } from '@server/types/models' | 4 | import { MAccountDefault } from '@server/types/models' |
5 | import { forceNumber } from '@shared/core-utils' | ||
5 | import { HttpStatusCode } from '@shared/models' | 6 | import { HttpStatusCode } from '@shared/models' |
6 | 7 | ||
7 | function doesAccountIdExist (id: number | string, res: Response, sendNotFound = true) { | 8 | function doesAccountIdExist (id: number | string, res: Response, sendNotFound = true) { |
8 | const promise = AccountModel.load(parseInt(id + '', 10)) | 9 | const promise = AccountModel.load(forceNumber(id)) |
9 | 10 | ||
10 | return doesAccountExist(promise, res, sendNotFound) | 11 | return doesAccountExist(promise, res, sendNotFound) |
11 | } | 12 | } |
@@ -40,7 +41,7 @@ async function doesAccountExist (p: Promise<MAccountDefault>, res: Response, sen | |||
40 | } | 41 | } |
41 | 42 | ||
42 | async function doesUserFeedTokenCorrespond (id: number, token: string, res: Response) { | 43 | async function doesUserFeedTokenCorrespond (id: number, token: string, res: Response) { |
43 | const user = await UserModel.loadByIdWithChannels(parseInt(id + '', 10)) | 44 | const user = await UserModel.loadByIdWithChannels(forceNumber(id)) |
44 | 45 | ||
45 | if (token !== user.feedToken) { | 46 | if (token !== user.feedToken) { |
46 | res.fail({ | 47 | res.fail({ |
diff --git a/server/middlewares/validators/shared/users.ts b/server/middlewares/validators/shared/users.ts index fbaa7db0e..b8f1436d3 100644 --- a/server/middlewares/validators/shared/users.ts +++ b/server/middlewares/validators/shared/users.ts | |||
@@ -2,10 +2,11 @@ import express from 'express' | |||
2 | import { ActorModel } from '@server/models/actor/actor' | 2 | import { ActorModel } from '@server/models/actor/actor' |
3 | import { UserModel } from '@server/models/user/user' | 3 | import { UserModel } from '@server/models/user/user' |
4 | import { MUserDefault } from '@server/types/models' | 4 | import { MUserDefault } from '@server/types/models' |
5 | import { forceNumber } from '@shared/core-utils' | ||
5 | import { HttpStatusCode } from '@shared/models' | 6 | import { HttpStatusCode } from '@shared/models' |
6 | 7 | ||
7 | function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) { | 8 | function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) { |
8 | const id = parseInt(idArg + '', 10) | 9 | const id = forceNumber(idArg) |
9 | return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res) | 10 | return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res) |
10 | } | 11 | } |
11 | 12 | ||
diff --git a/server/middlewares/validators/shared/video-comments.ts b/server/middlewares/validators/shared/video-comments.ts index 8d1a16294..0961b3ec9 100644 --- a/server/middlewares/validators/shared/video-comments.ts +++ b/server/middlewares/validators/shared/video-comments.ts | |||
@@ -1,10 +1,11 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { VideoCommentModel } from '@server/models/video/video-comment' | 2 | import { VideoCommentModel } from '@server/models/video/video-comment' |
3 | import { MVideoId } from '@server/types/models' | 3 | import { MVideoId } from '@server/types/models' |
4 | import { forceNumber } from '@shared/core-utils' | ||
4 | import { HttpStatusCode, ServerErrorCode } from '@shared/models' | 5 | import { HttpStatusCode, ServerErrorCode } from '@shared/models' |
5 | 6 | ||
6 | async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) { | 7 | async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) { |
7 | const id = parseInt(idArg + '', 10) | 8 | const id = forceNumber(idArg) |
8 | const videoComment = await VideoCommentModel.loadById(id) | 9 | const videoComment = await VideoCommentModel.loadById(id) |
9 | 10 | ||
10 | if (!videoComment) { | 11 | if (!videoComment) { |
@@ -33,7 +34,7 @@ async function doesVideoCommentThreadExist (idArg: number | string, video: MVide | |||
33 | } | 34 | } |
34 | 35 | ||
35 | async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) { | 36 | async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) { |
36 | const id = parseInt(idArg + '', 10) | 37 | const id = forceNumber(idArg) |
37 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) | 38 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) |
38 | 39 | ||
39 | if (!videoComment) { | 40 | if (!videoComment) { |
@@ -57,7 +58,7 @@ async function doesVideoCommentExist (idArg: number | string, video: MVideoId, r | |||
57 | } | 58 | } |
58 | 59 | ||
59 | async function doesCommentIdExist (idArg: number | string, res: express.Response) { | 60 | async function doesCommentIdExist (idArg: number | string, res: express.Response) { |
60 | const id = parseInt(idArg + '', 10) | 61 | const id = forceNumber(idArg) |
61 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) | 62 | const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) |
62 | 63 | ||
63 | if (!videoComment) { | 64 | if (!videoComment) { |
diff --git a/server/middlewares/validators/shared/video-ownerships.ts b/server/middlewares/validators/shared/video-ownerships.ts index 680613cda..33ac9c8b6 100644 --- a/server/middlewares/validators/shared/video-ownerships.ts +++ b/server/middlewares/validators/shared/video-ownerships.ts | |||
@@ -1,9 +1,10 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { VideoChangeOwnershipModel } from '@server/models/video/video-change-ownership' | 2 | import { VideoChangeOwnershipModel } from '@server/models/video/video-change-ownership' |
3 | import { forceNumber } from '@shared/core-utils' | ||
3 | import { HttpStatusCode } from '@shared/models' | 4 | import { HttpStatusCode } from '@shared/models' |
4 | 5 | ||
5 | async function doesChangeVideoOwnershipExist (idArg: number | string, res: express.Response) { | 6 | async function doesChangeVideoOwnershipExist (idArg: number | string, res: express.Response) { |
6 | const id = parseInt(idArg + '', 10) | 7 | const id = forceNumber(idArg) |
7 | const videoChangeOwnership = await VideoChangeOwnershipModel.load(id) | 8 | const videoChangeOwnership = await VideoChangeOwnershipModel.load(id) |
8 | 9 | ||
9 | if (!videoChangeOwnership) { | 10 | if (!videoChangeOwnership) { |
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 055af3b64..50327b6ae 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -1,6 +1,7 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { body, param, query } from 'express-validator' | 2 | import { body, param, query } from 'express-validator' |
3 | import { Hooks } from '@server/lib/plugins/hooks' | 3 | import { Hooks } from '@server/lib/plugins/hooks' |
4 | import { forceNumber } from '@shared/core-utils' | ||
4 | import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models' | 5 | import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models' |
5 | import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc' | 6 | import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc' |
6 | import { isThemeNameValid } from '../../helpers/custom-validators/plugins' | 7 | import { isThemeNameValid } from '../../helpers/custom-validators/plugins' |
@@ -515,7 +516,7 @@ const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Requ | |||
515 | 516 | ||
516 | const user = res.locals.oauth.token.User | 517 | const user = res.locals.oauth.token.User |
517 | const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR | 518 | const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR |
518 | const targetUserId = parseInt(targetUserIdGetter(req) + '') | 519 | const targetUserId = forceNumber(targetUserIdGetter(req)) |
519 | 520 | ||
520 | // Admin/moderator action on another user, skip the password check | 521 | // Admin/moderator action on another user, skip the password check |
521 | if (isAdminOrModerator && targetUserId !== user.id) { | 522 | if (isAdminOrModerator && targetUserId !== user.id) { |
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts index f295b1885..72442aeb6 100644 --- a/server/middlewares/validators/videos/video-imports.ts +++ b/server/middlewares/validators/videos/video-imports.ts | |||
@@ -4,6 +4,7 @@ import { isResolvingToUnicastOnly } from '@server/helpers/dns' | |||
4 | import { isPreImportVideoAccepted } from '@server/lib/moderation' | 4 | import { isPreImportVideoAccepted } from '@server/lib/moderation' |
5 | import { Hooks } from '@server/lib/plugins/hooks' | 5 | import { Hooks } from '@server/lib/plugins/hooks' |
6 | import { MUserAccountId, MVideoImport } from '@server/types/models' | 6 | import { MUserAccountId, MVideoImport } from '@server/types/models' |
7 | import { forceNumber } from '@shared/core-utils' | ||
7 | import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models' | 8 | import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models' |
8 | import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model' | 9 | import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model' |
9 | import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc' | 10 | import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc' |
@@ -130,7 +131,7 @@ const videoImportCancelValidator = [ | |||
130 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 131 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
131 | if (areValidationErrors(req, res)) return | 132 | if (areValidationErrors(req, res)) return |
132 | 133 | ||
133 | if (!await doesVideoImportExist(parseInt(req.params.id), res)) return | 134 | if (!await doesVideoImportExist(forceNumber(req.params.id), res)) return |
134 | if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return | 135 | if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return |
135 | 136 | ||
136 | if (res.locals.videoImport.state !== VideoImportState.PENDING) { | 137 | if (res.locals.videoImport.state !== VideoImportState.PENDING) { |
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts index 6d4b8a6f1..e4b7e5c56 100644 --- a/server/middlewares/validators/videos/video-playlists.ts +++ b/server/middlewares/validators/videos/video-playlists.ts | |||
@@ -2,6 +2,7 @@ import express from 'express' | |||
2 | import { body, param, query, ValidationChain } from 'express-validator' | 2 | import { body, param, query, ValidationChain } from 'express-validator' |
3 | import { ExpressPromiseHandler } from '@server/types/express-handler' | 3 | import { ExpressPromiseHandler } from '@server/types/express-handler' |
4 | import { MUserAccountId } from '@server/types/models' | 4 | import { MUserAccountId } from '@server/types/models' |
5 | import { forceNumber } from '@shared/core-utils' | ||
5 | import { | 6 | import { |
6 | HttpStatusCode, | 7 | HttpStatusCode, |
7 | UserRight, | 8 | UserRight, |
@@ -258,7 +259,7 @@ const videoPlaylistElementAPGetValidator = [ | |||
258 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 259 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
259 | if (areValidationErrors(req, res)) return | 260 | if (areValidationErrors(req, res)) return |
260 | 261 | ||
261 | const playlistElementId = parseInt(req.params.playlistElementId + '', 10) | 262 | const playlistElementId = forceNumber(req.params.playlistElementId) |
262 | const playlistId = req.params.playlistId | 263 | const playlistId = req.params.playlistId |
263 | 264 | ||
264 | const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId) | 265 | const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId) |