aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--server/helpers/custom-validators/misc.ts5
-rw-r--r--server/middlewares/validators/static.ts6
2 files changed, 10 insertions, 1 deletions
diff --git a/server/helpers/custom-validators/misc.ts b/server/helpers/custom-validators/misc.ts
index b3ab3ac64..ebab4c6b2 100644
--- a/server/helpers/custom-validators/misc.ts
+++ b/server/helpers/custom-validators/misc.ts
@@ -15,6 +15,10 @@ function isSafePath (p: string) {
15 }) 15 })
16} 16}
17 17
18function isSafePeerTubeFilenameWithoutExtension (filename: string) {
19 return filename.match(/^[a-z0-9-]+$/)
20}
21
18function isArray (value: any): value is any[] { 22function isArray (value: any): value is any[] {
19 return Array.isArray(value) 23 return Array.isArray(value)
20} 24}
@@ -172,5 +176,6 @@ export {
172 areUUIDsValid, 176 areUUIDsValid,
173 toIntArray, 177 toIntArray,
174 isFileValid, 178 isFileValid,
179 isSafePeerTubeFilenameWithoutExtension,
175 checkMimetypeRegex 180 checkMimetypeRegex
176} 181}
diff --git a/server/middlewares/validators/static.ts b/server/middlewares/validators/static.ts
index d3d307787..45d56bcd6 100644
--- a/server/middlewares/validators/static.ts
+++ b/server/middlewares/validators/static.ts
@@ -2,7 +2,7 @@ import express from 'express'
2import { query } from 'express-validator' 2import { query } from 'express-validator'
3import LRUCache from 'lru-cache' 3import LRUCache from 'lru-cache'
4import { basename, dirname } from 'path' 4import { basename, dirname } from 'path'
5import { exists, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc' 5import { exists, isSafePeerTubeFilenameWithoutExtension, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc'
6import { logger } from '@server/helpers/logger' 6import { logger } from '@server/helpers/logger'
7import { LRU_CACHE } from '@server/initializers/constants' 7import { LRU_CACHE } from '@server/initializers/constants'
8import { VideoModel } from '@server/models/video/video' 8import { VideoModel } from '@server/models/video/video'
@@ -69,6 +69,10 @@ const ensureCanAccessPrivateVideoHLSFiles = [
69 .customSanitizer(toBooleanOrNull) 69 .customSanitizer(toBooleanOrNull)
70 .isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'), 70 .isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'),
71 71
72 query('playlistName')
73 .optional()
74 .customSanitizer(isSafePeerTubeFilenameWithoutExtension),
75
72 async (req: express.Request, res: express.Response, next: express.NextFunction) => { 76 async (req: express.Request, res: express.Response, next: express.NextFunction) => {
73 if (areValidationErrors(req, res)) return 77 if (areValidationErrors(req, res)) return
74 78