From 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 15 Nov 2022 14:41:55 +0100 Subject: Don't inject untrusted input Even if it's already checked in middlewares It's better to have safe modals too --- server/middlewares/validators/shared/video-comments.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'server/middlewares/validators/shared/video-comments.ts') diff --git a/server/middlewares/validators/shared/video-comments.ts b/server/middlewares/validators/shared/video-comments.ts index 8d1a16294..0961b3ec9 100644 --- a/server/middlewares/validators/shared/video-comments.ts +++ b/server/middlewares/validators/shared/video-comments.ts @@ -1,10 +1,11 @@ import express from 'express' import { VideoCommentModel } from '@server/models/video/video-comment' import { MVideoId } from '@server/types/models' +import { forceNumber } from '@shared/core-utils' import { HttpStatusCode, ServerErrorCode } from '@shared/models' async function doesVideoCommentThreadExist (idArg: number | string, video: MVideoId, res: express.Response) { - const id = parseInt(idArg + '', 10) + const id = forceNumber(idArg) const videoComment = await VideoCommentModel.loadById(id) if (!videoComment) { @@ -33,7 +34,7 @@ async function doesVideoCommentThreadExist (idArg: number | string, video: MVide } async function doesVideoCommentExist (idArg: number | string, video: MVideoId, res: express.Response) { - const id = parseInt(idArg + '', 10) + const id = forceNumber(idArg) const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) if (!videoComment) { @@ -57,7 +58,7 @@ async function doesVideoCommentExist (idArg: number | string, video: MVideoId, r } async function doesCommentIdExist (idArg: number | string, res: express.Response) { - const id = parseInt(idArg + '', 10) + const id = forceNumber(idArg) const videoComment = await VideoCommentModel.loadByIdAndPopulateVideoAndAccountAndReply(id) if (!videoComment) { -- cgit v1.2.3