diff options
| author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
|---|---|---|
| committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
| commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
| tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/models/user | |
| parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
| download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip | |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/models/user')
| -rw-r--r-- | server/models/user/user-notification.ts | 3 | ||||
| -rw-r--r-- | server/models/user/user.ts | 15 |
2 files changed, 10 insertions, 8 deletions
diff --git a/server/models/user/user-notification.ts b/server/models/user/user-notification.ts index 6209cb4bf..d37fa5dc7 100644 --- a/server/models/user/user-notification.ts +++ b/server/models/user/user-notification.ts | |||
| @@ -2,6 +2,7 @@ import { ModelIndexesOptions, Op, WhereOptions } from 'sequelize' | |||
| 2 | import { AllowNull, BelongsTo, Column, CreatedAt, Default, ForeignKey, Is, Model, Table, UpdatedAt } from 'sequelize-typescript' | 2 | import { AllowNull, BelongsTo, Column, CreatedAt, Default, ForeignKey, Is, Model, Table, UpdatedAt } from 'sequelize-typescript' |
| 3 | import { getBiggestActorImage } from '@server/lib/actor-image' | 3 | import { getBiggestActorImage } from '@server/lib/actor-image' |
| 4 | import { UserNotificationIncludes, UserNotificationModelForApi } from '@server/types/models/user' | 4 | import { UserNotificationIncludes, UserNotificationModelForApi } from '@server/types/models/user' |
| 5 | import { forceNumber } from '@shared/core-utils' | ||
| 5 | import { uuidToShort } from '@shared/extra-utils' | 6 | import { uuidToShort } from '@shared/extra-utils' |
| 6 | import { UserNotification, UserNotificationType } from '@shared/models' | 7 | import { UserNotification, UserNotificationType } from '@shared/models' |
| 7 | import { AttributesOnly } from '@shared/typescript-utils' | 8 | import { AttributesOnly } from '@shared/typescript-utils' |
| @@ -284,7 +285,7 @@ export class UserNotificationModel extends Model<Partial<AttributesOnly<UserNoti | |||
| 284 | } | 285 | } |
| 285 | 286 | ||
| 286 | static removeNotificationsOf (options: { id: number, type: 'account' | 'server', forUserId?: number }) { | 287 | static removeNotificationsOf (options: { id: number, type: 'account' | 'server', forUserId?: number }) { |
| 287 | const id = parseInt(options.id + '', 10) | 288 | const id = forceNumber(options.id) |
| 288 | 289 | ||
| 289 | function buildAccountWhereQuery (base: string) { | 290 | function buildAccountWhereQuery (base: string) { |
| 290 | const whereSuffix = options.forUserId | 291 | const whereSuffix = options.forUserId |
diff --git a/server/models/user/user.ts b/server/models/user/user.ts index f70feed73..672728a2a 100644 --- a/server/models/user/user.ts +++ b/server/models/user/user.ts | |||
| @@ -70,6 +70,7 @@ import { VideoImportModel } from '../video/video-import' | |||
| 70 | import { VideoLiveModel } from '../video/video-live' | 70 | import { VideoLiveModel } from '../video/video-live' |
| 71 | import { VideoPlaylistModel } from '../video/video-playlist' | 71 | import { VideoPlaylistModel } from '../video/video-playlist' |
| 72 | import { UserNotificationSettingModel } from './user-notification-setting' | 72 | import { UserNotificationSettingModel } from './user-notification-setting' |
| 73 | import { forceNumber } from '@shared/core-utils' | ||
| 73 | 74 | ||
| 74 | enum ScopeNames { | 75 | enum ScopeNames { |
| 75 | FOR_ME_API = 'FOR_ME_API', | 76 | FOR_ME_API = 'FOR_ME_API', |
| @@ -900,27 +901,27 @@ export class UserModel extends Model<Partial<AttributesOnly<UserModel>>> { | |||
| 900 | videoQuotaDaily: this.videoQuotaDaily, | 901 | videoQuotaDaily: this.videoQuotaDaily, |
| 901 | 902 | ||
| 902 | videoQuotaUsed: videoQuotaUsed !== undefined | 903 | videoQuotaUsed: videoQuotaUsed !== undefined |
| 903 | ? parseInt(videoQuotaUsed + '', 10) + LiveQuotaStore.Instance.getLiveQuotaOf(this.id) | 904 | ? forceNumber(videoQuotaUsed) + LiveQuotaStore.Instance.getLiveQuotaOf(this.id) |
| 904 | : undefined, | 905 | : undefined, |
| 905 | 906 | ||
| 906 | videoQuotaUsedDaily: videoQuotaUsedDaily !== undefined | 907 | videoQuotaUsedDaily: videoQuotaUsedDaily !== undefined |
| 907 | ? parseInt(videoQuotaUsedDaily + '', 10) + LiveQuotaStore.Instance.getLiveQuotaOf(this.id) | 908 | ? forceNumber(videoQuotaUsedDaily) + LiveQuotaStore.Instance.getLiveQuotaOf(this.id) |
| 908 | : undefined, | 909 | : undefined, |
| 909 | 910 | ||
| 910 | videosCount: videosCount !== undefined | 911 | videosCount: videosCount !== undefined |
| 911 | ? parseInt(videosCount + '', 10) | 912 | ? forceNumber(videosCount) |
| 912 | : undefined, | 913 | : undefined, |
| 913 | abusesCount: abusesCount | 914 | abusesCount: abusesCount |
| 914 | ? parseInt(abusesCount, 10) | 915 | ? forceNumber(abusesCount) |
| 915 | : undefined, | 916 | : undefined, |
| 916 | abusesAcceptedCount: abusesAcceptedCount | 917 | abusesAcceptedCount: abusesAcceptedCount |
| 917 | ? parseInt(abusesAcceptedCount, 10) | 918 | ? forceNumber(abusesAcceptedCount) |
| 918 | : undefined, | 919 | : undefined, |
| 919 | abusesCreatedCount: abusesCreatedCount !== undefined | 920 | abusesCreatedCount: abusesCreatedCount !== undefined |
| 920 | ? parseInt(abusesCreatedCount + '', 10) | 921 | ? forceNumber(abusesCreatedCount) |
| 921 | : undefined, | 922 | : undefined, |
| 922 | videoCommentsCount: videoCommentsCount !== undefined | 923 | videoCommentsCount: videoCommentsCount !== undefined |
| 923 | ? parseInt(videoCommentsCount + '', 10) | 924 | ? forceNumber(videoCommentsCount) |
| 924 | : undefined, | 925 | : undefined, |
| 925 | 926 | ||
| 926 | noInstanceConfigWarningModal: this.noInstanceConfigWarningModal, | 927 | noInstanceConfigWarningModal: this.noInstanceConfigWarningModal, |