BUG: POST /assets no input validation for duration — NaN stored when absent #69

New issue

Closed

opened 2026-05-25 04:07:41 -04:00 by zgaetano · 0 comments

zgaetano commented 2026-05-25 04:07:41 -04:00

Owner

Copy link

Bug

In services/mam-api/src/routes/assets.js:82:

const durationMs = duration ? Math.round(duration * 1000) : null;

If req.body.duration is "" (empty string), JavaScript treats "" as falsy, so it correctly falls to null. But if req.body.duration is 0 (which should mean "zero-length clip"), it's also falsy and becomes null.

More importantly, if duration is an arbitrary non-number type that is truthy (e.g. "abc"), Math.round("abc" * 1000) = NaN, and NaN gets stored into duration_ms as a Postgres NaN value (postgres actually rounds NaN to NULL when the column is BIGINT, but this depends on driver behavior).

Impact

• A NaN duration stored in the DB can cause issues in JS-side calculations later (e.g., NaN < 5 is false)
• If the capture service somehow produces duration=0 (possible with a zero-frame recording that wasn't caught by the empty check), the asset gets duration_ms=NULL instead of 0

Location

services/mam-api/src/routes/assets.js:82

Fix

const durationMs = (duration !== undefined && duration !== null && Number.isFinite(Number(duration)))
  ? Math.round(Number(duration) * 1000) 
  : null;

## Bug In `services/mam-api/src/routes/assets.js:82`: ```js const durationMs = duration ? Math.round(duration * 1000) : null; ``` If `req.body.duration` is `""` (empty string), JavaScript treats `""` as falsy, so it correctly falls to `null`. But if `req.body.duration` is `0` (which should mean "zero-length clip"), it's also falsy and becomes `null`. More importantly, if `duration` is an arbitrary non-number type that is truthy (e.g. `"abc"`), `Math.round("abc" * 1000)` = `NaN`, and `NaN` gets stored into `duration_ms` as a Postgres `NaN` value (postgres actually rounds `NaN` to `NULL` when the column is `BIGINT`, but this depends on driver behavior). ## Impact - A `NaN` duration stored in the DB can cause issues in JS-side calculations later (e.g., `NaN < 5` is `false`) - If the capture service somehow produces `duration=0` (possible with a zero-frame recording that wasn't caught by the `empty` check), the asset gets `duration_ms=NULL` instead of `0` ## Location `services/mam-api/src/routes/assets.js:82` ## Fix ```js const durationMs = (duration !== undefined && duration !== null && Number.isFinite(Number(duration))) ? Math.round(Number(duration) * 1000) : null; ```

zgaetano closed this issue 2026-05-25 18:27:27 -04:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/playout-mcr

feat/user-permissions

feat/recorder-codec-bitrate

feat/hls-vod-playback

feat/uxp-plugin-swap

feat/nvenc-hevc-ingest

feat/all-intra-hevc-ingest

redesign/panel-icon-rail

feat/premiere-installer

feat/youtube-importer

fix/library-and-signal-indicator

fix/srt-rtmp-thumbnail

v0.phase1-editor

Labels

Clear labels   

bug

Bug report

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: WildDragonLLC/dragonflight#69

No description provided.