From 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Tue, 15 Nov 2022 14:41:55 +0100
Subject: Don't inject untrusted input

Even if it's already checked in middlewares
It's better to have safe modals too
---
 server/helpers/custom-validators/video-studio.ts | 3 ++-
 server/helpers/video.ts                          | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'server/helpers')

diff --git a/server/helpers/custom-validators/video-studio.ts b/server/helpers/custom-validators/video-studio.ts
index 19e7906d5..68dfec8dd 100644
--- a/server/helpers/custom-validators/video-studio.ts
+++ b/server/helpers/custom-validators/video-studio.ts
@@ -4,6 +4,7 @@ import { buildTaskFileFieldname } from '@server/lib/video-studio'
 import { VideoStudioTask } from '@shared/models'
 import { isArray } from './misc'
 import { isVideoFileMimeTypeValid, isVideoImageValid } from './videos'
+import { forceNumber } from '@shared/core-utils'
 
 function isValidStudioTasksArray (tasks: any) {
   if (!isArray(tasks)) return false
@@ -24,7 +25,7 @@ function isStudioCutTaskValid (task: VideoStudioTask) {
 
   if (!start || !end) return true
 
-  return parseInt(start + '') < parseInt(end + '')
+  return forceNumber(start) < forceNumber(end)
 }
 
 function isStudioTaskAddIntroOutroValid (task: VideoStudioTask, indice: number, files: Express.Multer.File[]) {
diff --git a/server/helpers/video.ts b/server/helpers/video.ts
index f5f645d3e..c688ef1e3 100644
--- a/server/helpers/video.ts
+++ b/server/helpers/video.ts
@@ -2,6 +2,7 @@ import { Response } from 'express'
 import { CONFIG } from '@server/initializers/config'
 import { isStreamingPlaylist, MStreamingPlaylistVideo, MVideo } from '@server/types/models'
 import { VideoPrivacy, VideoState } from '@shared/models'
+import { forceNumber } from '@shared/core-utils'
 
 function getVideoWithAttributes (res: Response) {
   return res.locals.videoAPI || res.locals.videoAll || res.locals.onlyVideo
@@ -14,14 +15,14 @@ function extractVideo (videoOrPlaylist: MVideo | MStreamingPlaylistVideo) {
 }
 
 function isPrivacyForFederation (privacy: VideoPrivacy) {
-  const castedPrivacy = parseInt(privacy + '', 10)
+  const castedPrivacy = forceNumber(privacy)
 
   return castedPrivacy === VideoPrivacy.PUBLIC ||
     (CONFIG.FEDERATION.VIDEOS.FEDERATE_UNLISTED === true && castedPrivacy === VideoPrivacy.UNLISTED)
 }
 
 function isStateForFederation (state: VideoState) {
-  const castedState = parseInt(state + '', 10)
+  const castedState = forceNumber(state)
 
   return castedState === VideoState.PUBLISHED || castedState === VideoState.WAITING_FOR_LIVE || castedState === VideoState.LIVE_ENDED
 }
-- 
cgit v1.2.3