From d7ce9dca613d96889baa0c93063806268f68cce5 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Mon, 27 Feb 2023 09:44:03 +0100 Subject: Add additional check for playlistName --- server/helpers/custom-validators/misc.ts | 5 +++++ server/middlewares/validators/static.ts | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'server') diff --git a/server/helpers/custom-validators/misc.ts b/server/helpers/custom-validators/misc.ts index b3ab3ac64..ebab4c6b2 100644 --- a/server/helpers/custom-validators/misc.ts +++ b/server/helpers/custom-validators/misc.ts @@ -15,6 +15,10 @@ function isSafePath (p: string) { }) } +function isSafePeerTubeFilenameWithoutExtension (filename: string) { + return filename.match(/^[a-z0-9-]+$/) +} + function isArray (value: any): value is any[] { return Array.isArray(value) } @@ -172,5 +176,6 @@ export { areUUIDsValid, toIntArray, isFileValid, + isSafePeerTubeFilenameWithoutExtension, checkMimetypeRegex } diff --git a/server/middlewares/validators/static.ts b/server/middlewares/validators/static.ts index d3d307787..45d56bcd6 100644 --- a/server/middlewares/validators/static.ts +++ b/server/middlewares/validators/static.ts @@ -2,7 +2,7 @@ import express from 'express' import { query } from 'express-validator' import LRUCache from 'lru-cache' import { basename, dirname } from 'path' -import { exists, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc' +import { exists, isSafePeerTubeFilenameWithoutExtension, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc' import { logger } from '@server/helpers/logger' import { LRU_CACHE } from '@server/initializers/constants' import { VideoModel } from '@server/models/video/video' @@ -69,6 +69,10 @@ const ensureCanAccessPrivateVideoHLSFiles = [ .customSanitizer(toBooleanOrNull) .isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'), + query('playlistName') + .optional() + .customSanitizer(isSafePeerTubeFilenameWithoutExtension), + async (req: express.Request, res: express.Response, next: express.NextFunction) => { if (areValidationErrors(req, res)) return -- cgit v1.2.3