From 35870a01583b2947030f4e3d4ac769c3ff298386 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Sun, 27 Apr 2025 09:18:52 -0500
Subject: [PATCH] Update upload API endpoint to validate request body

---
 client/pages/upload/index.vue        |  9 ++-------
 server/controllers/MiscController.js | 22 ++++++++++++++--------
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/client/pages/upload/index.vue b/client/pages/upload/index.vue
index 1ea8009b..2c9442ca 100644
--- a/client/pages/upload/index.vue
+++ b/client/pages/upload/index.vue
@@ -316,9 +316,8 @@ export default {
         .$post('/api/upload', form)
         .then(() => true)
         .catch((error) => {
-          console.error('Failed', error)
-          var errorMessage = error.response && error.response.data ? error.response.data : 'Oops, something went wrong...'
-          this.$toast.error(errorMessage)
+          console.error('Failed to upload item', error)
+          this.$toast.error(error.response?.data || 'Oops, something went wrong...')
           return false
         })
     },
@@ -382,13 +381,9 @@ export default {
         }
       }
 
-      let itemsUploaded = 0
-      let itemsFailed = 0
       for (const item of itemsToUpload) {
         this.updateItemCardStatus(item.index, 'uploading')
         const result = await this.uploadItem(item)
-        if (result) itemsUploaded++
-        else itemsFailed++
         this.updateItemCardStatus(item.index, result ? 'success' : 'failed')
       }
       this.processing = false
diff --git a/server/controllers/MiscController.js b/server/controllers/MiscController.js
index 0e9f0377..06cd4d84 100644
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@@ -37,25 +37,31 @@ class MiscController {
       Logger.warn(`User "${req.user.username}" attempted to upload without permission`)
       return res.sendStatus(403)
     }
-    if (!req.files) {
+    if (!req.files || !Object.values(req.files).length) {
       Logger.error('Invalid request, no files')
       return res.sendStatus(400)
     }
 
     const files = Object.values(req.files)
-    const { title, author, series, folder: folderId, library: libraryId } = req.body
+    let { title, author, series, folder: folderId, library: libraryId } = req.body
+    // Validate request body
+    if (!libraryId || !folderId || typeof libraryId !== 'string' || typeof folderId !== 'string' || !title || typeof title !== 'string') {
+      return res.status(400).send('Invalid request body')
+    }
+    if (!series || typeof series !== 'string') {
+      series = null
+    }
+    if (!author || typeof author !== 'string') {
+      author = null
+    }
 
     const library = await Database.libraryModel.findByIdWithFolders(libraryId)
     if (!library) {
-      return res.status(404).send(`Library not found with id ${libraryId}`)
+      return res.status(404).send('Library not found')
     }
     const folder = library.libraryFolders.find((fold) => fold.id === folderId)
     if (!folder) {
-      return res.status(404).send(`Folder not found with id ${folderId} in library ${library.name}`)
-    }
-
-    if (!files.length || !title) {
-      return res.status(500).send(`Invalid post data`)
+      return res.status(404).send('Folder not found')
     }
 
     // Podcasts should only be one folder deep