From 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 15 Nov 2022 14:41:55 +0100 Subject: Don't inject untrusted input Even if it's already checked in middlewares It's better to have safe modals too --- server/controllers/api/videos/update.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'server/controllers/api/videos') diff --git a/server/controllers/api/videos/update.ts b/server/controllers/api/videos/update.ts index 0a910379a..260dee2b9 100644 --- a/server/controllers/api/videos/update.ts +++ b/server/controllers/api/videos/update.ts @@ -19,6 +19,7 @@ import { asyncMiddleware, asyncRetryTransactionMiddleware, authenticate, videosU import { ScheduleVideoUpdateModel } from '../../../models/video/schedule-video-update' import { VideoModel } from '../../../models/video/video' import { VideoPathManager } from '@server/lib/video-path-manager' +import { forceNumber } from '@shared/core-utils' const lTags = loggerTagsFactory('api', 'video') const auditLogger = auditLoggerFactory('videos') @@ -174,7 +175,7 @@ async function updateVideoPrivacy (options: { const { videoInstance, videoInfoToUpdate, hadPrivacyForFederation, transaction } = options const isNewVideo = videoInstance.isNewVideo(videoInfoToUpdate.privacy) - const newPrivacy = parseInt(videoInfoToUpdate.privacy.toString(), 10) + const newPrivacy = forceNumber(videoInfoToUpdate.privacy) setVideoPrivacy(videoInstance, newPrivacy) // Unfederate the video if the new privacy is not compatible with federation -- cgit v1.2.3