From 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 15 Nov 2022 14:41:55 +0100 Subject: Don't inject untrusted input Even if it's already checked in middlewares It's better to have safe modals too --- server/helpers/custom-validators/video-studio.ts | 3 ++- server/helpers/video.ts | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'server/helpers') diff --git a/server/helpers/custom-validators/video-studio.ts b/server/helpers/custom-validators/video-studio.ts index 19e7906d5..68dfec8dd 100644 --- a/server/helpers/custom-validators/video-studio.ts +++ b/server/helpers/custom-validators/video-studio.ts @@ -4,6 +4,7 @@ import { buildTaskFileFieldname } from '@server/lib/video-studio' import { VideoStudioTask } from '@shared/models' import { isArray } from './misc' import { isVideoFileMimeTypeValid, isVideoImageValid } from './videos' +import { forceNumber } from '@shared/core-utils' function isValidStudioTasksArray (tasks: any) { if (!isArray(tasks)) return false @@ -24,7 +25,7 @@ function isStudioCutTaskValid (task: VideoStudioTask) { if (!start || !end) return true - return parseInt(start + '') < parseInt(end + '') + return forceNumber(start) < forceNumber(end) } function isStudioTaskAddIntroOutroValid (task: VideoStudioTask, indice: number, files: Express.Multer.File[]) { diff --git a/server/helpers/video.ts b/server/helpers/video.ts index f5f645d3e..c688ef1e3 100644 --- a/server/helpers/video.ts +++ b/server/helpers/video.ts @@ -2,6 +2,7 @@ import { Response } from 'express' import { CONFIG } from '@server/initializers/config' import { isStreamingPlaylist, MStreamingPlaylistVideo, MVideo } from '@server/types/models' import { VideoPrivacy, VideoState } from '@shared/models' +import { forceNumber } from '@shared/core-utils' function getVideoWithAttributes (res: Response) { return res.locals.videoAPI || res.locals.videoAll || res.locals.onlyVideo @@ -14,14 +15,14 @@ function extractVideo (videoOrPlaylist: MVideo | MStreamingPlaylistVideo) { } function isPrivacyForFederation (privacy: VideoPrivacy) { - const castedPrivacy = parseInt(privacy + '', 10) + const castedPrivacy = forceNumber(privacy) return castedPrivacy === VideoPrivacy.PUBLIC || (CONFIG.FEDERATION.VIDEOS.FEDERATE_UNLISTED === true && castedPrivacy === VideoPrivacy.UNLISTED) } function isStateForFederation (state: VideoState) { - const castedState = parseInt(state + '', 10) + const castedState = forceNumber(state) return castedState === VideoState.PUBLISHED || castedState === VideoState.WAITING_FOR_LIVE || castedState === VideoState.LIVE_ENDED } -- cgit v1.2.3