aboutsummaryrefslogtreecommitdiffhomepage
path: root/shared
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
committerChocobozzz <me@florianbigard.com>2022-11-15 14:41:55 +0100
commit4638cd713dcdd007cd7f49b9a95fa62ac7823e7c (patch)
tree3e341c6ebbd1ce9e2bbacd72e7e3793e0bd467c2 /shared
parent6bcb559fc9a491fc3ce83e7c077ee9dc742b1d63 (diff)
downloadPeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.gz
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.tar.zst
PeerTube-4638cd713dcdd007cd7f49b9a95fa62ac7823e7c.zip
Don't inject untrusted input
Even if it's already checked in middlewares It's better to have safe modals too
Diffstat (limited to 'shared')
-rw-r--r--shared/core-utils/common/index.ts1
-rw-r--r--shared/core-utils/common/number.ts7
-rw-r--r--shared/extra-utils/ffprobe.ts3
-rw-r--r--shared/server-commands/miscs/sql-command.ts3
4 files changed, 12 insertions, 2 deletions
diff --git a/shared/core-utils/common/index.ts b/shared/core-utils/common/index.ts
index 720977ead..8d63ee1b2 100644
--- a/shared/core-utils/common/index.ts
+++ b/shared/core-utils/common/index.ts
@@ -2,6 +2,7 @@ export * from './array'
2export * from './random' 2export * from './random'
3export * from './date' 3export * from './date'
4export * from './env' 4export * from './env'
5export * from './number'
5export * from './object' 6export * from './object'
6export * from './path' 7export * from './path'
7export * from './regexp' 8export * from './regexp'
diff --git a/shared/core-utils/common/number.ts b/shared/core-utils/common/number.ts
new file mode 100644
index 000000000..9a96dcf5c
--- /dev/null
+++ b/shared/core-utils/common/number.ts
@@ -0,0 +1,7 @@
1function forceNumber (value: any) {
2 return parseInt(value + '')
3}
4
5export {
6 forceNumber
7}
diff --git a/shared/extra-utils/ffprobe.ts b/shared/extra-utils/ffprobe.ts
index b8e9f4c18..7efc58a0d 100644
--- a/shared/extra-utils/ffprobe.ts
+++ b/shared/extra-utils/ffprobe.ts
@@ -1,4 +1,5 @@
1import { ffprobe, FfprobeData } from 'fluent-ffmpeg' 1import { ffprobe, FfprobeData } from 'fluent-ffmpeg'
2import { forceNumber } from '@shared/core-utils'
2import { VideoFileMetadata, VideoResolution } from '@shared/models/videos' 3import { VideoFileMetadata, VideoResolution } from '@shared/models/videos'
3 4
4/** 5/**
@@ -55,7 +56,7 @@ async function getAudioStream (videoPath: string, existingProbe?: FfprobeData) {
55 return { 56 return {
56 absolutePath: data.format.filename, 57 absolutePath: data.format.filename,
57 audioStream, 58 audioStream,
58 bitrate: parseInt(audioStream['bit_rate'] + '', 10) 59 bitrate: forceNumber(audioStream['bit_rate'])
59 } 60 }
60 } 61 }
61 } 62 }
diff --git a/shared/server-commands/miscs/sql-command.ts b/shared/server-commands/miscs/sql-command.ts
index b0d9ce56d..f163cc8c9 100644
--- a/shared/server-commands/miscs/sql-command.ts
+++ b/shared/server-commands/miscs/sql-command.ts
@@ -1,4 +1,5 @@
1import { QueryTypes, Sequelize } from 'sequelize' 1import { QueryTypes, Sequelize } from 'sequelize'
2import { forceNumber } from '@shared/core-utils'
2import { AbstractCommand } from '../shared' 3import { AbstractCommand } from '../shared'
3 4
4export class SQLCommand extends AbstractCommand { 5export class SQLCommand extends AbstractCommand {
@@ -63,7 +64,7 @@ export class SQLCommand extends AbstractCommand {
63 64
64 if (!total) return 0 65 if (!total) return 0
65 66
66 return parseInt(total + '', 10) 67 return forceNumber(total)
67 } 68 }
68 69
69 getActorImage (filename: string) { 70 getActorImage (filename: string) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-23 11:51:18 +0000