diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/helpers/custom-validators/misc.ts | 5 | ||||
-rw-r--r-- | server/middlewares/validators/static.ts | 6 |
2 files changed, 10 insertions, 1 deletions
diff --git a/server/helpers/custom-validators/misc.ts b/server/helpers/custom-validators/misc.ts index b3ab3ac64..ebab4c6b2 100644 --- a/server/helpers/custom-validators/misc.ts +++ b/server/helpers/custom-validators/misc.ts | |||
@@ -15,6 +15,10 @@ function isSafePath (p: string) { | |||
15 | }) | 15 | }) |
16 | } | 16 | } |
17 | 17 | ||
18 | function isSafePeerTubeFilenameWithoutExtension (filename: string) { | ||
19 | return filename.match(/^[a-z0-9-]+$/) | ||
20 | } | ||
21 | |||
18 | function isArray (value: any): value is any[] { | 22 | function isArray (value: any): value is any[] { |
19 | return Array.isArray(value) | 23 | return Array.isArray(value) |
20 | } | 24 | } |
@@ -172,5 +176,6 @@ export { | |||
172 | areUUIDsValid, | 176 | areUUIDsValid, |
173 | toIntArray, | 177 | toIntArray, |
174 | isFileValid, | 178 | isFileValid, |
179 | isSafePeerTubeFilenameWithoutExtension, | ||
175 | checkMimetypeRegex | 180 | checkMimetypeRegex |
176 | } | 181 | } |
diff --git a/server/middlewares/validators/static.ts b/server/middlewares/validators/static.ts index d3d307787..45d56bcd6 100644 --- a/server/middlewares/validators/static.ts +++ b/server/middlewares/validators/static.ts | |||
@@ -2,7 +2,7 @@ import express from 'express' | |||
2 | import { query } from 'express-validator' | 2 | import { query } from 'express-validator' |
3 | import LRUCache from 'lru-cache' | 3 | import LRUCache from 'lru-cache' |
4 | import { basename, dirname } from 'path' | 4 | import { basename, dirname } from 'path' |
5 | import { exists, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc' | 5 | import { exists, isSafePeerTubeFilenameWithoutExtension, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc' |
6 | import { logger } from '@server/helpers/logger' | 6 | import { logger } from '@server/helpers/logger' |
7 | import { LRU_CACHE } from '@server/initializers/constants' | 7 | import { LRU_CACHE } from '@server/initializers/constants' |
8 | import { VideoModel } from '@server/models/video/video' | 8 | import { VideoModel } from '@server/models/video/video' |
@@ -69,6 +69,10 @@ const ensureCanAccessPrivateVideoHLSFiles = [ | |||
69 | .customSanitizer(toBooleanOrNull) | 69 | .customSanitizer(toBooleanOrNull) |
70 | .isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'), | 70 | .isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'), |
71 | 71 | ||
72 | query('playlistName') | ||
73 | .optional() | ||
74 | .customSanitizer(isSafePeerTubeFilenameWithoutExtension), | ||
75 | |||
72 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 76 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
73 | if (areValidationErrors(req, res)) return | 77 | if (areValidationErrors(req, res)) return |
74 | 78 | ||