diff options
author | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-11-15 14:41:55 +0100 |
commit | 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch) | |
tree | 3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /server/models/video/video-share.ts | |
parent | 6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff) | |
download | PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip |
Don't inject untrusted input
Even if it's already checked in middlewares
It's better to have safe modals too
Diffstat (limited to 'server/models/video/video-share.ts')
-rw-r--r-- | server/models/video/video-share.ts | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/server/models/video/video-share.ts b/server/models/video/video-share.ts index ca63bb2d9..f2190037e 100644 --- a/server/models/video/video-share.ts +++ b/server/models/video/video-share.ts | |||
@@ -1,5 +1,6 @@ | |||
1 | import { literal, Op, QueryTypes, Transaction } from 'sequelize' | 1 | import { literal, Op, QueryTypes, Transaction } from 'sequelize' |
2 | import { AllowNull, BelongsTo, Column, CreatedAt, DataType, ForeignKey, Is, Model, Scopes, Table, UpdatedAt } from 'sequelize-typescript' | 2 | import { AllowNull, BelongsTo, Column, CreatedAt, DataType, ForeignKey, Is, Model, Scopes, Table, UpdatedAt } from 'sequelize-typescript' |
3 | import { forceNumber } from '@shared/core-utils' | ||
3 | import { AttributesOnly } from '@shared/typescript-utils' | 4 | import { AttributesOnly } from '@shared/typescript-utils' |
4 | import { isActivityPubUrlValid } from '../../helpers/custom-validators/activitypub/misc' | 5 | import { isActivityPubUrlValid } from '../../helpers/custom-validators/activitypub/misc' |
5 | import { CONSTRAINTS_FIELDS } from '../../initializers/constants' | 6 | import { CONSTRAINTS_FIELDS } from '../../initializers/constants' |
@@ -123,7 +124,7 @@ export class VideoShareModel extends Model<Partial<AttributesOnly<VideoShareMode | |||
123 | } | 124 | } |
124 | 125 | ||
125 | static loadActorsWhoSharedVideosOf (actorOwnerId: number, t: Transaction): Promise<MActorDefault[]> { | 126 | static loadActorsWhoSharedVideosOf (actorOwnerId: number, t: Transaction): Promise<MActorDefault[]> { |
126 | const safeOwnerId = parseInt(actorOwnerId + '', 10) | 127 | const safeOwnerId = forceNumber(actorOwnerId) |
127 | 128 | ||
128 | // /!\ On actor model | 129 | // /!\ On actor model |
129 | const query = { | 130 | const query = { |
@@ -148,7 +149,7 @@ export class VideoShareModel extends Model<Partial<AttributesOnly<VideoShareMode | |||
148 | } | 149 | } |
149 | 150 | ||
150 | static loadActorsByVideoChannel (videoChannelId: number, t: Transaction): Promise<MActorDefault[]> { | 151 | static loadActorsByVideoChannel (videoChannelId: number, t: Transaction): Promise<MActorDefault[]> { |
151 | const safeChannelId = parseInt(videoChannelId + '', 10) | 152 | const safeChannelId = forceNumber(videoChannelId) |
152 | 153 | ||
153 | // /!\ On actor model | 154 | // /!\ On actor model |
154 | const query = { | 155 | const query = { |