yetangitu/Peertube
1
0
Fork 0
mirror of https://github.com/Chocobozzz/PeerTube.git synced 2025-10-05 02:39:33 +02:00
Code Issues Releases Wiki Activity

Don't inject untrusted input

Browse source 
Even if it's already checked in middlewares
It's better to have safe modals too
This commit is contained in:
Chocobozzz 2022-11-15 14:41:55 +01:00
parent 6bcb559fc9
commit 4638cd713d
No known key found for this signature in database
GPG key ID: 583A612D890159BE
35 changed files with 101 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

5
server/models/utils.ts
View file

@ -1,5 +1,6 @@
import { literal, Op, OrderItem, Sequelize } from 'sequelize'
import validator from 'validator'
import { forceNumber } from '@shared/core-utils'
type SortType = { sortModel: string, sortValue: string }
@ -202,7 +203,7 @@ function buildBlockedAccountSQLOptimized (columnNameJoin: string, blockerIds: nu
}
function buildServerIdsFollowedBy (actorId: any) {
const actorIdNumber = parseInt(actorId + '', 10)
const actorIdNumber = forceNumber(actorId)
return '(' +
'SELECT "actor"."serverId" FROM "actorFollow" ' +
@ -218,7 +219,7 @@ function buildWhereIdOrUUID (id: number | string) {
function parseAggregateResult (result: any) {
if (!result) return 0
const total = parseInt(result + '', 10)
const total = forceNumber(result)
if (isNaN(total)) return 0
return total