aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/middlewares
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
committerChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
commit4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/middlewares
parent6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
downloadPeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
Don't inject untrusted input
Even if it's already checked in middlewares It's better to have safe modals too
Diffstat (limited to 'server/middlewares')
-rw-r--r--server/middlewares/pagination.ts5
-rw-r--r--server/middlewares/validators/abuse.ts3
-rw-r--r--server/middlewares/validators/redundancy.ts3
-rw-r--r--server/middlewares/validators/shared/abuses.ts3
-rw-r--r--server/middlewares/validators/shared/accounts.ts5
-rw-r--r--server/middlewares/validators/shared/users.ts3
-rw-r--r--server/middlewares/validators/shared/video-comments.ts7
-rw-r--r--server/middlewares/validators/shared/video-ownerships.ts3
-rw-r--r--server/middlewares/validators/users.ts3
-rw-r--r--server/middlewares/validators/videos/video-imports.ts3
-rw-r--r--server/middlewares/validators/videos/video-playlists.ts3
11 files changed, 26 insertions, 15 deletions
diff --git a/server/middlewares/pagination.ts b/server/middlewares/pagination.ts
index 9812af9e4..17e43f743 100644
--- a/server/middlewares/pagination.ts
+++ b/server/middlewares/pagination.ts
@@ -1,12 +1,13 @@
1import express from 'express' 1import express from 'express'
2import { forceNumber } from '@shared/core-utils'
2import { PAGINATION } from '../initializers/constants' 3import { PAGINATION } from '../initializers/constants'
3 4
4function setDefaultPagination (req: express.Request, res: express.Response, next: express.NextFunction) { 5function setDefaultPagination (req: express.Request, res: express.Response, next: express.NextFunction) {
5 if (!req.query.start) req.query.start = 0 6 if (!req.query.start) req.query.start = 0
6 else req.query.start = parseInt(req.query.start, 10) 7 else req.query.start = forceNumber(req.query.start)
7 8
8 if (!req.query.count) req.query.count = PAGINATION.GLOBAL.COUNT.DEFAULT 9 if (!req.query.count) req.query.count = PAGINATION.GLOBAL.COUNT.DEFAULT
9 else req.query.count = parseInt(req.query.count, 10) 10 else req.query.count = forceNumber(req.query.count)
10 11
11 return next() 12 return next()
12} 13}
diff --git a/server/middlewares/validators/abuse.ts b/server/middlewares/validators/abuse.ts
index 9b94008ce..70bae1775 100644
--- a/server/middlewares/validators/abuse.ts
+++ b/server/middlewares/validators/abuse.ts
@@ -18,6 +18,7 @@ import { AbuseMessageModel } from '@server/models/abuse/abuse-message'
18import { AbuseCreate, UserRight } from '@shared/models' 18import { AbuseCreate, UserRight } from '@shared/models'
19import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' 19import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
20import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared' 20import { areValidationErrors, doesAbuseExist, doesAccountIdExist, doesCommentIdExist, doesVideoExist } from './shared'
21import { forceNumber } from '@shared/core-utils'
21 22
22const abuseReportValidator = [ 23const abuseReportValidator = [
23 body('account.id') 24 body('account.id')
@@ -216,7 +217,7 @@ const deleteAbuseMessageValidator = [
216 const user = res.locals.oauth.token.user 217 const user = res.locals.oauth.token.user
217 const abuse = res.locals.abuse 218 const abuse = res.locals.abuse
218 219
219 const messageId = parseInt(req.params.messageId + '', 10) 220 const messageId = forceNumber(req.params.messageId)
220 const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id) 221 const abuseMessage = await AbuseMessageModel.loadByIdAndAbuseId(messageId, abuse.id)
221 222
222 if (!abuseMessage) { 223 if (!abuseMessage) {
diff --git a/server/middlewares/validators/redundancy.ts b/server/middlewares/validators/redundancy.ts
index 79460f63c..c80f9b728 100644
--- a/server/middlewares/validators/redundancy.ts
+++ b/server/middlewares/validators/redundancy.ts
@@ -1,6 +1,7 @@
1import express from 'express' 1import express from 'express'
2import { body, param, query } from 'express-validator' 2import { body, param, query } from 'express-validator'
3import { isVideoRedundancyTarget } from '@server/helpers/custom-validators/video-redundancies' 3import { isVideoRedundancyTarget } from '@server/helpers/custom-validators/video-redundancies'
4import { forceNumber } from '@shared/core-utils'
4import { HttpStatusCode } from '../../../shared/models/http/http-error-codes' 5import { HttpStatusCode } from '../../../shared/models/http/http-error-codes'
5import { 6import {
6 exists, 7 exists,
@@ -171,7 +172,7 @@ const removeVideoRedundancyValidator = [
171 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 172 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
172 if (areValidationErrors(req, res)) return 173 if (areValidationErrors(req, res)) return
173 174
174 const redundancy = await VideoRedundancyModel.loadByIdWithVideo(parseInt(req.params.redundancyId, 10)) 175 const redundancy = await VideoRedundancyModel.loadByIdWithVideo(forceNumber(req.params.redundancyId))
175 if (!redundancy) { 176 if (!redundancy) {
176 return res.fail({ 177 return res.fail({
177 status: HttpStatusCode.NOT_FOUND_404, 178 status: HttpStatusCode.NOT_FOUND_404,
diff --git a/server/middlewares/validators/shared/abuses.ts b/server/middlewares/validators/shared/abuses.ts
index 2b8d86ba5..2c988f9ec 100644
--- a/server/middlewares/validators/shared/abuses.ts
+++ b/server/middlewares/validators/shared/abuses.ts
@@ -1,9 +1,10 @@
1import { Response } from 'express' 1import { Response } from 'express'
2import { AbuseModel } from '@server/models/abuse/abuse' 2import { AbuseModel } from '@server/models/abuse/abuse'
3import { HttpStatusCode } from '@shared/models' 3import { HttpStatusCode } from '@shared/models'
4import { forceNumber } from '@shared/core-utils'
4 5
5async function doesAbuseExist (abuseId: number | string, res: Response) { 6async function doesAbuseExist (abuseId: number | string, res: Response) {
6 const abuse = await AbuseModel.loadByIdWithReporter(parseInt(abuseId + '', 10)) 7 const abuse = await AbuseModel.loadByIdWithReporter(forceNumber(abuseId))
7 8
8 if (!abuse) { 9 if (!abuse) {
9 res.fail({ 10 res.fail({
diff --git a/server/middlewares/validators/shared/accounts.ts b/server/middlewares/validators/shared/accounts.ts
index fe4f83aa0..72b0e235e 100644
--- a/server/middlewares/validators/shared/accounts.ts
+++ b/server/middlewares/validators/shared/accounts.ts
@@ -2,10 +2,11 @@ import { Response } from 'express'
2import { AccountModel } from '@server/models/account/account' 2import { AccountModel } from '@server/models/account/account'
3import { UserModel } from '@server/models/user/user' 3import { UserModel } from '@server/models/user/user'
4import { MAccountDefault } from '@server/types/models' 4import { MAccountDefault } from '@server/types/models'
5import { forceNumber } from '@shared/core-utils'
5import { HttpStatusCode } from '@shared/models' 6import { HttpStatusCode } from '@shared/models'
6 7
7function doesAccountIdExist (id: number | string, res: Response, sendNotFound = true) { 8function doesAccountIdExist (id: number | string, res: Response, sendNotFound = true) {
8 const promise = AccountModel.load(parseInt(id + '', 10)) 9 const promise = AccountModel.load(forceNumber(id))
9 10
10 return doesAccountExist(promise, res, sendNotFound) 11 return doesAccountExist(promise, res, sendNotFound)
11} 12}
@@ -40,7 +41,7 @@ async function doesAccountExist (p: Promise<MAccountDefault>, res: Response, sen
40} 41}
41 42
42async function doesUserFeedTokenCorrespond (id: number, token: string, res: Response) { 43async function doesUserFeedTokenCorrespond (id: number, token: string, res: Response) {
43 const user = await UserModel.loadByIdWithChannels(parseInt(id + '', 10)) 44 const user = await UserModel.loadByIdWithChannels(forceNumber(id))
44 45
45 if (token !== user.feedToken) { 46 if (token !== user.feedToken) {
46 res.fail({ 47 res.fail({
diff --git a/server/middlewares/validators/shared/users.ts b/server/middlewares/validators/shared/users.ts
index fbaa7db0e..b8f1436d3 100644
--- a/server/middlewares/validators/shared/users.ts
+++ b/server/middlewares/validators/shared/users.ts
@@ -2,10 +2,11 @@ import express from 'express'
2import { ActorModel } from '@server/models/actor/actor' 2import { ActorModel } from '@server/models/actor/actor'
3import { UserModel } from '@server/models/user/user' 3import { UserModel } from '@server/models/user/user'
4import { MUserDefault } from '@server/types/models' 4import { MUserDefault } from '@server/types/models'
5import { forceNumber } from '@shared/core-utils'
5import { HttpStatusCode } from '@shared/models' 6import { HttpStatusCode } from '@shared/models'
6 7
7function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) { 8function checkUserIdExist (idArg: number | string, res: express.Response, withStats = false) {
8 const id = parseInt(idArg + '', 10) 9 const id = forceNumber(idArg)
9 return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res) 10 return checkUserExist(() => UserModel.loadByIdWithChannels(id, withStats), res)
10} 11}
11 12
diff --git a/server/middlewares/validators/shared/video-comments.ts b/server/middlewares/validators/shared/video-comments.ts
index 8d1a16294..0961b3ec9 100644
--- a/server/middlewares/validators/shared/video-comments.ts
+++ b/server/middlewares/validators/shared/video-comments.ts
@@ -1,10 +1,11 @@
1import express from 'express' 1import express from 'express'
2import { VideoCommentModel } from '@server/models/video/video-comment' 2import { VideoCommentModel } from '@server/models/video/video-comment'
3import { MVideoId } from '@server/types/models' 3import { MVideoId } from '@server/types/models'
4import { forceNumber } from '@shared/core-utils'
4import { HttpStatusCode, ServerErrorCode } from '@shared/models' 5import { HttpStatusCode, ServerErrorCode } from '@shared/models'
5 6
6async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) { 7async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) {
7 const id = parseInt(idArg + '', 10) 8 const id = forceNumber(idArg)
8 const videoComment = await VideoCommentModel.loadById(id) 9 const videoComment = await VideoCommentModel.loadById(id)
9 10
10 if (!videoComment) { 11 if (!videoComment) {
@@ -33,7 +34,7 @@ async function doesVideoCommentThreadExist (idArg: number | string, video: MVide
33} 34}
34 35
35async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) { 36async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) {
36 const id = parseInt(idArg + '', 10) 37 const id = forceNumber(idArg)
37 const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) 38 const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id)
38 39
39 if (!videoComment) { 40 if (!videoComment) {
@@ -57,7 +58,7 @@ async function doesVideoCommentExist (idArg: number | string, video: MVideoId, r
57} 58}
58 59
59async function doesCommentIdExist (idArg: number | string, res: express.Response) { 60async function doesCommentIdExist (idArg: number | string, res: express.Response) {
60 const id = parseInt(idArg + '', 10) 61 const id = forceNumber(idArg)
61 const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) 62 const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id)
62 63
63 if (!videoComment) { 64 if (!videoComment) {
diff --git a/server/middlewares/validators/shared/video-ownerships.ts b/server/middlewares/validators/shared/video-ownerships.ts
index 680613cda..33ac9c8b6 100644
--- a/server/middlewares/validators/shared/video-ownerships.ts
+++ b/server/middlewares/validators/shared/video-ownerships.ts
@@ -1,9 +1,10 @@
1import express from 'express' 1import express from 'express'
2import { VideoChangeOwnershipModel } from '@server/models/video/video-change-ownership' 2import { VideoChangeOwnershipModel } from '@server/models/video/video-change-ownership'
3import { forceNumber } from '@shared/core-utils'
3import { HttpStatusCode } from '@shared/models' 4import { HttpStatusCode } from '@shared/models'
4 5
5async function doesChangeVideoOwnershipExist (idArg: number | string, res: express.Response) { 6async function doesChangeVideoOwnershipExist (idArg: number | string, res: express.Response) {
6 const id = parseInt(idArg + '', 10) 7 const id = forceNumber(idArg)
7 const videoChangeOwnership = await VideoChangeOwnershipModel.load(id) 8 const videoChangeOwnership = await VideoChangeOwnershipModel.load(id)
8 9
9 if (!videoChangeOwnership) { 10 if (!videoChangeOwnership) {
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts
index 055af3b64..50327b6ae 100644
--- a/server/middlewares/validators/users.ts
+++ b/server/middlewares/validators/users.ts
@@ -1,6 +1,7 @@
1import express from 'express' 1import express from 'express'
2import { body, param, query } from 'express-validator' 2import { body, param, query } from 'express-validator'
3import { Hooks } from '@server/lib/plugins/hooks' 3import { Hooks } from '@server/lib/plugins/hooks'
4import { forceNumber } from '@shared/core-utils'
4import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models' 5import { HttpStatusCode, UserRegister, UserRight, UserRole } from '@shared/models'
5import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc' 6import { exists, isBooleanValid, isIdValid, toBooleanOrNull, toIntOrNull } from '../../helpers/custom-validators/misc'
6import { isThemeNameValid } from '../../helpers/custom-validators/plugins' 7import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
@@ -515,7 +516,7 @@ const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Requ
515 516
516 const user = res.locals.oauth.token.User 517 const user = res.locals.oauth.token.User
517 const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR 518 const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR
518 const targetUserId = parseInt(targetUserIdGetter(req) + '') 519 const targetUserId = forceNumber(targetUserIdGetter(req))
519 520
520 // Admin/moderator action on another user, skip the password check 521 // Admin/moderator action on another user, skip the password check
521 if (isAdminOrModerator && targetUserId !== user.id) { 522 if (isAdminOrModerator && targetUserId !== user.id) {
diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index f295b1885..72442aeb6 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -4,6 +4,7 @@ import { isResolvingToUnicastOnly } from '@server/helpers/dns'
4import { isPreImportVideoAccepted } from '@server/lib/moderation' 4import { isPreImportVideoAccepted } from '@server/lib/moderation'
5import { Hooks } from '@server/lib/plugins/hooks' 5import { Hooks } from '@server/lib/plugins/hooks'
6import { MUserAccountId, MVideoImport } from '@server/types/models' 6import { MUserAccountId, MVideoImport } from '@server/types/models'
7import { forceNumber } from '@shared/core-utils'
7import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models' 8import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models'
8import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model' 9import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model'
9import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc' 10import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc'
@@ -130,7 +131,7 @@ const videoImportCancelValidator = [
130 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 131 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
131 if (areValidationErrors(req, res)) return 132 if (areValidationErrors(req, res)) return
132 133
133 if (!await doesVideoImportExist(parseInt(req.params.id), res)) return 134 if (!await doesVideoImportExist(forceNumber(req.params.id), res)) return
134 if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return 135 if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return
135 136
136 if (res.locals.videoImport.state !== VideoImportState.PENDING) { 137 if (res.locals.videoImport.state !== VideoImportState.PENDING) {
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 6d4b8a6f1..e4b7e5c56 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -2,6 +2,7 @@ import express from 'express'
2import { body, param, query, ValidationChain } from 'express-validator' 2import { body, param, query, ValidationChain } from 'express-validator'
3import { ExpressPromiseHandler } from '@server/types/express-handler' 3import { ExpressPromiseHandler } from '@server/types/express-handler'
4import { MUserAccountId } from '@server/types/models' 4import { MUserAccountId } from '@server/types/models'
5import { forceNumber } from '@shared/core-utils'
5import { 6import {
6 HttpStatusCode, 7 HttpStatusCode,
7 UserRight, 8 UserRight,
@@ -258,7 +259,7 @@ const videoPlaylistElementAPGetValidator = [
258 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 259 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
259 if (areValidationErrors(req, res)) return 260 if (areValidationErrors(req, res)) return
260 261
261 const playlistElementId = parseInt(req.params.playlistElementId + '', 10) 262 const playlistElementId = forceNumber(req.params.playlistElementId)
262 const playlistId = req.params.playlistId 263 const playlistId = req.params.playlistId
263 264
264 const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId) 265 const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 19:07:52 +0000