From 7b54a81cccf6b4c12269e9d6897d608b1a99537a Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 6 Jan 2022 11:16:35 +0100 Subject: Prevent video import on non unicast ips --- server/middlewares/validators/videos/video-imports.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'server/middlewares/validators/videos') diff --git a/server/middlewares/validators/videos/video-imports.ts b/server/middlewares/validators/videos/video-imports.ts index 640139c73..e4b54283f 100644 --- a/server/middlewares/validators/videos/video-imports.ts +++ b/server/middlewares/validators/videos/video-imports.ts @@ -13,6 +13,7 @@ import { CONFIG } from '../../../initializers/config' import { CONSTRAINTS_FIELDS } from '../../../initializers/constants' import { areValidationErrors, doesVideoChannelOfAccountExist } from '../shared' import { getCommonVideoEditAttributes } from './videos' +import { isValid as isIPValid, parse as parseIP } from 'ipaddr.js' const videoImportAddValidator = getCommonVideoEditAttributes().concat([ body('channelId') @@ -71,6 +72,23 @@ const videoImportAddValidator = getCommonVideoEditAttributes().concat([ return res.fail({ message: 'Should have a magnetUri or a targetUrl or a torrent file.' }) } + if (req.body.targetUrl) { + const hostname = new URL(req.body.targetUrl).hostname + + if (isIPValid(hostname)) { + const parsed = parseIP(hostname) + + if (parsed.range() !== 'unicast') { + cleanUpReqFiles(req) + + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot use non unicast IP as targetUrl.' + }) + } + } + } + if (!await isImportAccepted(req, res)) return cleanUpReqFiles(req) return next() -- cgit v1.2.3 From 795212f7acc690c88c86d0fab8772f6564d59cb8 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 6 Jan 2022 13:27:29 +0100 Subject: Prevent caption listing of private videos --- .../validators/videos/video-captions.ts | 22 +++++++++++++++++++--- server/middlewares/validators/videos/videos.ts | 19 ++++++------------- 2 files changed, 25 insertions(+), 16 deletions(-) (limited to 'server/middlewares/validators/videos') diff --git a/server/middlewares/validators/videos/video-captions.ts b/server/middlewares/validators/videos/video-captions.ts index 38321ccf9..4fc4c8ec5 100644 --- a/server/middlewares/validators/videos/video-captions.ts +++ b/server/middlewares/validators/videos/video-captions.ts @@ -1,11 +1,18 @@ import express from 'express' import { body, param } from 'express-validator' -import { UserRight } from '../../../../shared' +import { HttpStatusCode, UserRight } from '../../../../shared' import { isVideoCaptionFile, isVideoCaptionLanguageValid } from '../../../helpers/custom-validators/video-captions' import { cleanUpReqFiles } from '../../../helpers/express-utils' import { logger } from '../../../helpers/logger' import { CONSTRAINTS_FIELDS, MIMETYPES } from '../../../initializers/constants' -import { areValidationErrors, checkUserCanManageVideo, doesVideoCaptionExist, doesVideoExist, isValidVideoIdParam } from '../shared' +import { + areValidationErrors, + checkCanSeeVideoIfPrivate, + checkUserCanManageVideo, + doesVideoCaptionExist, + doesVideoExist, + isValidVideoIdParam +} from '../shared' const addVideoCaptionValidator = [ isValidVideoIdParam('videoId'), @@ -64,7 +71,16 @@ const listVideoCaptionsValidator = [ logger.debug('Checking listVideoCaptions parameters', { parameters: req.params }) if (areValidationErrors(req, res)) return - if (!await doesVideoExist(req.params.videoId, res, 'id')) return + if (!await doesVideoExist(req.params.videoId, res, 'only-video')) return + + const video = res.locals.onlyVideo + + if (!await checkCanSeeVideoIfPrivate(req, res, video)) { + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot list captions of private/internal/blocklisted video' + }) + } return next() } diff --git a/server/middlewares/validators/videos/videos.ts b/server/middlewares/validators/videos/videos.ts index 3ebdbc33d..782f495e8 100644 --- a/server/middlewares/validators/videos/videos.ts +++ b/server/middlewares/validators/videos/videos.ts @@ -51,9 +51,9 @@ import { CONSTRAINTS_FIELDS, OVERVIEWS } from '../../../initializers/constants' import { isLocalVideoAccepted } from '../../../lib/moderation' import { Hooks } from '../../../lib/plugins/hooks' import { VideoModel } from '../../../models/video/video' -import { authenticatePromiseIfNeeded } from '../../auth' import { areValidationErrors, + checkCanSeePrivateVideo, checkUserCanManageVideo, doesVideoChannelOfAccountExist, doesVideoExist, @@ -317,19 +317,12 @@ const videosCustomGetValidator = ( // Video private or blacklisted if (video.requiresAuth()) { - await authenticatePromiseIfNeeded(req, res, authenticateInQuery) + if (await checkCanSeePrivateVideo(req, res, video, authenticateInQuery)) return next() - const user = res.locals.oauth ? res.locals.oauth.token.User : null - - // Only the owner or a user that have blocklist rights can see the video - if (!user || !user.canGetVideo(video)) { - return res.fail({ - status: HttpStatusCode.FORBIDDEN_403, - message: 'Cannot get this private/internal or blocklisted video' - }) - } - - return next() + return res.fail({ + status: HttpStatusCode.FORBIDDEN_403, + message: 'Cannot get this private/internal or blocklisted video' + }) } // Video is public, anyone can access it -- cgit v1.2.3