From 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Tue, 15 Nov 2022 14:41:55 +0100
Subject: Don't inject untrusted input

Even if it's already checked in middlewares
It's better to have safe modals too
---
 server/controllers/api/videos/update.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'server/controllers/api/videos/update.ts')

diff --git a/server/controllers/api/videos/update.ts b/server/controllers/api/videos/update.ts
index 0a910379a..260dee2b9 100644
--- a/server/controllers/api/videos/update.ts
+++ b/server/controllers/api/videos/update.ts
@@ -19,6 +19,7 @@ import { asyncMiddleware, asyncRetryTransactionMiddleware, authenticate, videosU
 import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update'
 import { VideoModel } from '../../../models/video/video'
 import { VideoPathManager } from '@server/lib/video-path-manager'
+import { forceNumber } from '@shared/core-utils'
 
 const lTags = loggerTagsFactory('api', 'video')
 const auditLogger = auditLoggerFactory('videos')
@@ -174,7 +175,7 @@ async function updateVideoPrivacy (options: {
   const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options
   const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy)
 
-  const newPrivacy = parseInt(videoInfoToUpdate.privacy.toString(), 10)
+  const newPrivacy = forceNumber(videoInfoToUpdate.privacy)
   setVideoPrivacy(videoInstance, newPrivacy)
 
   // Unfederate the video if the new privacy is not compatible with federation
-- 
cgit v1.2.3