fix: closes #13176, check if uid is number when creating tokens

barisusakli · barisusakli · commit 80cc1d34b083 · 2025-02-18T10:42:52.000-05:00
diff --git a/src/api/utils.js b/src/api/utils.js
@@ -52,6 +52,9 @@ utils.tokens.get = async (tokens) => {
 };
 
 utils.tokens.generate = async ({ uid, description }) => {
+	if (!srcUtils.isNumber(uid)) {
+		throw new Error('[[error:invalid-uid]]');
+	}
 	if (parseInt(uid, 10) !== 0) {
 		const uidExists = await user.exists(uid);
 		if (!uidExists) {
@@ -66,7 +69,7 @@ utils.tokens.generate = async ({ uid, description }) => {
 };
 
 utils.tokens.add = async ({ token, uid, description = '', timestamp = Date.now() }) => {
-	if (!token || uid === undefined) {
+	if (!token || uid === undefined || !srcUtils.isNumber(uid)) {
 		throw new Error('[[error:invalid-data]]');
 	}
 
@@ -80,6 +83,9 @@ utils.tokens.add = async ({ token, uid, description = '', timestamp = Date.now()
 };
 
 utils.tokens.update = async (token, { uid, description }) => {
+	if (!srcUtils.isNumber(uid)) {
+		throw new Error('[[error:invalid-uid]]');
+	}
 	await Promise.all([
 		db.setObject(`token:${token}`, { uid, description }),
 		db.sortedSetAdd(`tokens:uid`, uid, token),
diff --git a/src/views/admin/partials/edit-token-modal.tpl b/src/views/admin/partials/edit-token-modal.tpl
@@ -1,13 +1,13 @@
 <form role="form">
     <div class="mb-3">
         <label class="form-label" for="uid">[[admin/settings/api:uid]]</label>
-        <input type="text" inputmode="numeric" pattern="\d+" name="uid" class="form-control" placeholder="0" value="{./uid}" />
+        <input id="uid" type="number" inputmode="numeric" pattern="\d+" name="uid" class="form-control" placeholder="0" value="{./uid}" />
         <p class="form-text">
             [[admin/settings/api:uid-help-text]]
         </p>
     </div>
     <div class="mb-3">
         <label class="form-label" for="description">[[admin/settings/api:description]]</label>
-        <input type="text" name="description" class="form-control" placeholder="Description" value="{./description}" />
+        <input id="description" type="text" name="description" class="form-control" placeholder="Description" value="{./description}" />
     </div>
 </form>
