Add additional check for playlistName

server/helpers/custom-validators/misc.ts

@@ -15,6 +15,10 @@ function isSafePath (p: string) {
     })
 }
 
+function isSafePeerTubeFilenameWithoutExtension (filename: string) {
+  return filename.match(/^[a-z0-9-]+$/)
+}
+
 function isArray (value: any): value is any[] {
   return Array.isArray(value)
 }
@@ -172,5 +176,6 @@ export {
   areUUIDsValid,
   toIntArray,
   isFileValid,
+  isSafePeerTubeFilenameWithoutExtension,
   checkMimetypeRegex
 }

server/middlewares/validators/static.ts

@@ -2,7 +2,7 @@ import express from 'express'
 import { query } from 'express-validator'
 import LRUCache from 'lru-cache'
 import { basename, dirname } from 'path'
-import { exists, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc'
+import { exists, isSafePeerTubeFilenameWithoutExtension, isUUIDValid, toBooleanOrNull } from '@server/helpers/custom-validators/misc'
 import { logger } from '@server/helpers/logger'
 import { LRU_CACHE } from '@server/initializers/constants'
 import { VideoModel } from '@server/models/video/video'
@@ -69,6 +69,10 @@ const ensureCanAccessPrivateVideoHLSFiles = [
     .customSanitizer(toBooleanOrNull)
     .isBoolean().withMessage('Should be a valid reinjectVideoFileToken boolean'),
 
+  query('playlistName')
+    .optional()
+    .customSanitizer(isSafePeerTubeFilenameWithoutExtension),
+
   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
     if (areValidationErrors(req, res)) return