From 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Tue, 15 Nov 2022 14:41:55 +0100
Subject: Don't inject untrusted input

Even if it's already checked in middlewares
It's better to have safe modals too
---
 server/middlewares/validators/videos/video-imports.ts   | 3 ++-
 server/middlewares/validators/videos/video-playlists.ts | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'server/middlewares/validators/videos')

diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts
index f295b1885..72442aeb6 100644
--- a/server/middlewares/validators/videos/video-imports.ts
+++ b/server/middlewares/validators/videos/video-imports.ts
@@ -4,6 +4,7 @@ import { isResolvingToUnicastOnly } from '@server/helpers/dns'
 import { isPreImportVideoAccepted } from '@server/lib/moderation'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { MUserAccountId, MVideoImport } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
 import { HttpStatusCode, UserRight, VideoImportState } from '@shared/models'
 import { VideoImportCreate } from '@shared/models/videos/import/video-import-create.model'
 import { isIdValid, toIntOrNull } from '../../../helpers/custom-validators/misc'
@@ -130,7 +131,7 @@ const videoImportCancelValidator = [
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
-    if (!await doesVideoImportExist(parseInt(req.params.id), res)) return
+    if (!await doesVideoImportExist(forceNumber(req.params.id), res)) return
     if (!checkUserCanManageImport(res.locals.oauth.token.user, res.locals.videoImport, res)) return
 
     if (res.locals.videoImport.state !== VideoImportState.PENDING) {
diff --git a/server/middlewares/validators/videos/video-playlists.ts b/server/middlewares/validators/videos/video-playlists.ts
index 6d4b8a6f1..e4b7e5c56 100644
--- a/server/middlewares/validators/videos/video-playlists.ts
+++ b/server/middlewares/validators/videos/video-playlists.ts
@@ -2,6 +2,7 @@ import express from 'express'
 import { body, param, query, ValidationChain } from 'express-validator'
 import { ExpressPromiseHandler } from '@server/types/express-handler'
 import { MUserAccountId } from '@server/types/models'
+import { forceNumber } from '@shared/core-utils'
 import {
   HttpStatusCode,
   UserRight,
@@ -258,7 +259,7 @@ const videoPlaylistElementAPGetValidator = [
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return
 
-    const playlistElementId = parseInt(req.params.playlistElementId + '', 10)
+    const playlistElementId = forceNumber(req.params.playlistElementId)
     const playlistId = req.params.playlistId
 
     const videoPlaylistElement = await VideoPlaylistElementModel.loadByPlaylistAndElementIdForAP(playlistId, playlistElementId)
-- 
cgit v1.2.3