Update upload API endpoint to validate request body

2025-10-27 11:18:14 +01:00 · 2025-04-27 09:18:52 -05:00 · 2025-04-27 09:18:52 -05:00 · 35870a0158
commit 35870a0158
parent ec05bd36e4
2 changed files with 16 additions and 15 deletions
--- a/client/pages/upload/index.vue
+++ b/client/pages/upload/index.vue
@ -316,9 +316,8 @@ export default {
        .$post('/api/upload', form)
        .then(() => true)
        .catch((error) => {
-          console.error('Failed', error)
-          var errorMessage = error.response && error.response.data ? error.response.data : 'Oops, something went wrong...'
-          this.$toast.error(errorMessage)
+          console.error('Failed to upload item', error)
+          this.$toast.error(error.response?.data || 'Oops, something went wrong...')
          return false
        })
    },
@ -382,13 +381,9 @@ export default {
        }
      }

-      let itemsUploaded = 0
-      let itemsFailed = 0
      for (const item of itemsToUpload) {
        this.updateItemCardStatus(item.index, 'uploading')
        const result = await this.uploadItem(item)
-        if (result) itemsUploaded++
-        else itemsFailed++
        this.updateItemCardStatus(item.index, result ? 'success' : 'failed')
      }
      this.processing = false
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@ -37,25 +37,31 @@ class MiscController {
      Logger.warn(`User "${req.user.username}" attempted to upload without permission`)
      return res.sendStatus(403)
    }
-    if (!req.files) {
+    if (!req.files || !Object.values(req.files).length) {
      Logger.error('Invalid request, no files')
      return res.sendStatus(400)
    }

    const files = Object.values(req.files)
-    const { title, author, series, folder: folderId, library: libraryId } = req.body
+    let { title, author, series, folder: folderId, library: libraryId } = req.body
+    // Validate request body
+    if (!libraryId || !folderId || typeof libraryId !== 'string' || typeof folderId !== 'string' || !title || typeof title !== 'string') {
+      return res.status(400).send('Invalid request body')
+    }
+    if (!series || typeof series !== 'string') {
+      series = null
+    }
+    if (!author || typeof author !== 'string') {
+      author = null
+    }

    const library = await Database.libraryModel.findByIdWithFolders(libraryId)
    if (!library) {
-      return res.status(404).send(`Library not found with id ${libraryId}`)
+      return res.status(404).send('Library not found')
    }
    const folder = library.libraryFolders.find((fold) => fold.id === folderId)
    if (!folder) {
-      return res.status(404).send(`Folder not found with id ${folderId} in library ${library.name}`)
-    }
-
-    if (!files.length || !title) {
-      return res.status(500).send(`Invalid post data`)
+      return res.status(404).send('Folder not found')
    }

    // Podcasts should only be one folder deep