diff options
author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/models/abuse/abuse-query-builder.ts | |
parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/models/abuse/abuse-query-builder.ts')
-rw-r--r-- | server/models/abuse/abuse-query-builder.ts | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/server/models/abuse/abuse-query-builder.ts b/server/models/abuse/abuse-query-builder.ts index cfc924ba4..74f4542e5 100644 --- a/server/models/abuse/abuse-query-builder.ts +++ b/server/models/abuse/abuse-query-builder.ts | |||
@@ -1,5 +1,6 @@ | |||
1 | 1 | ||
2 | import { exists } from '@server/helpers/custom-validators/misc' | 2 | import { exists } from '@server/helpers/custom-validators/misc' |
3 | import { forceNumber } from '@shared/core-utils' | ||
3 | import { AbuseFilter, AbuseState, AbuseVideoIs } from '@shared/models' | 4 | import { AbuseFilter, AbuseState, AbuseVideoIs } from '@shared/models' |
4 | import { buildBlockedAccountSQL, buildDirectionAndField } from '../utils' | 5 | import { buildBlockedAccountSQL, buildDirectionAndField } from '../utils' |
5 | 6 | ||
@@ -135,12 +136,12 @@ function buildAbuseListQuery (options: BuildAbusesQueryOptions, type: 'count' | | |||
135 | } | 136 | } |
136 | 137 | ||
137 | if (exists(options.count)) { | 138 | if (exists(options.count)) { |
138 | const count = parseInt(options.count + '', 10) | 139 | const count = forceNumber(options.count) |
139 | suffix += `LIMIT ${count} ` | 140 | suffix += `LIMIT ${count} ` |
140 | } | 141 | } |
141 | 142 | ||
142 | if (exists(options.start)) { | 143 | if (exists(options.start)) { |
143 | const start = parseInt(options.start + '', 10) | 144 | const start = forceNumber(options.start) |
144 | suffix += `OFFSET ${start} ` | 145 | suffix += `OFFSET ${start} ` |
145 | } | 146 | } |
146 | } | 147 | } |