Add additional check for playlistName

pull/5665/head
Chocobozzz 2023-02-27 09:44:03 +01:00
parent 4765348107
commit d7ce9dca61
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
2 changed files with 10 additions and 1 deletions

View File

@ -15,6 +15,10 @@ function isSafePath (p: string) {
})
}
function isSafePeerTubeFilenameWithoutExtension (filename: string) {
return filename.match(/^[a-z0-9-]+$/)
}
function isArray (value: any): value is any[] {
return Array.isArray(value)
}
@ -172,5 +176,6 @@ export {
areUUIDsValid,
toIntArray,
isFileValid,
isSafePeerTubeFilenameWithoutExtension,
checkMimetypeRegex
}

View File

@ -2,7 +2,7 @@ import express from 'express'
import { query } from 'express-validator'
import LRUCache from 'lru-cache'
import { basename, dirname } from 'path'
import { exists, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc'
import { exists, isSafePeerTubeFilenameWithoutExtension, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc'
import { logger } from '@server/helpers/logger'
import { LRU_CACHE } from '@server/initializers/constants'
import { VideoModel } from '@server/models/video/video'
@ -69,6 +69,10 @@ const ensureCanAccessPrivateVideoHLSFiles = [
.customSanitizer(toBooleanOrNull)
.isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'),
query('playlistName')
.optional()
.customSanitizer(isSafePeerTubeFilenameWithoutExtension),
async (req: express.Request, res: express.Response, next: express.NextFunction) => {
if (areValidationErrors(req, res)) return