From 4638cd713dcdd007cd7f49b9a95fa62ac7823e7c Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 15 Nov 2022 14:41:55 +0100 Subject: Don't inject untrusted input Even if it's already checked in middlewares It's better to have safe modals too --- server/models/actor/actor.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'server/models/actor') diff --git a/server/models/actor/actor.ts b/server/models/actor/actor.ts index 88db241dc..d7afa727d 100644 --- a/server/models/actor/actor.ts +++ b/server/models/actor/actor.ts @@ -18,7 +18,7 @@ import { import { activityPubContextify } from '@server/lib/activitypub/context' import { getBiggestActorImage } from '@server/lib/actor-image' import { ModelCache } from '@server/models/model-cache' -import { getLowercaseExtension } from '@shared/core-utils' +import { forceNumber, getLowercaseExtension } from '@shared/core-utils' import { ActivityIconObject, ActivityPubActorType, ActorImageType } from '@shared/models' import { AttributesOnly } from '@shared/typescript-utils' import { @@ -446,7 +446,7 @@ export class ActorModel extends Model>> { } static rebuildFollowsCount (ofId: number, type: 'followers' | 'following', transaction?: Transaction) { - const sanitizedOfId = parseInt(ofId + '', 10) + const sanitizedOfId = forceNumber(ofId) const where = { id: sanitizedOfId } let columnToUpdate: string -- cgit v1.2.3