From 7b9a8e34562bbb6afeb1f682bf33df1be8ec0498 Mon Sep 17 00:00:00 2001
From: Emilien <4016501+unixfox@users.noreply.github.com>
Date: Sun, 28 Jun 2026 11:41:48 +0200
Subject: [PATCH] fix: security issue playlist deletion cross user

fixes #5777
---
 src/invidious/database/playlists.cr          | 6 +++---
 src/invidious/routes/api/v1/authenticated.cr | 2 +-
 src/invidious/routes/playlists.cr            | 8 ++++++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/invidious/database/playlists.cr b/src/invidious/database/playlists.cr
index 6dbcaa05..4db6b11d 100644
--- a/src/invidious/database/playlists.cr
+++ b/src/invidious/database/playlists.cr
@@ -194,13 +194,13 @@ module Invidious::Database::PlaylistVideos
     PG_DB.exec(request, args: video_array)
   end
 
-  def delete(index)
+  def delete(index, plid : String)
     request = <<-SQL
       DELETE FROM playlist_videos *
-      WHERE index = $1
+      WHERE index = $1 AND plid = $2
     SQL
 
-    PG_DB.exec(request, index)
+    PG_DB.exec(request, index, plid)
   end
 
   def delete_by_playlist(plid : String)
diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index 7021321f..fcefc118 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -364,7 +364,7 @@ module Invidious::Routes::API::V1::Authenticated
       return error_json(404, "Playlist does not contain index")
     end
 
-    Invidious::Database::PlaylistVideos.delete(index)
+    Invidious::Database::PlaylistVideos.delete(index, plid)
     Invidious::Database::Playlists.update_video_removed(plid, index)
 
     env.response.status_code = 204
diff --git a/src/invidious/routes/playlists.cr b/src/invidious/routes/playlists.cr
index 56e529b2..3a633d50 100644
--- a/src/invidious/routes/playlists.cr
+++ b/src/invidious/routes/playlists.cr
@@ -357,8 +357,12 @@ module Invidious::Routes::Playlists
       Invidious::Database::PlaylistVideos.insert(playlist_video)
       Invidious::Database::Playlists.update_video_added(playlist_id, playlist_video.index)
     when "remove_video"
-      index = env.params.query["set_video_id"]
-      Invidious::Database::PlaylistVideos.delete(index)
+      index = env.params.query["set_video_id"].to_i64?
+      if index.nil? || !playlist.index.includes? index
+        return error_json(404, "Playlist does not contain index")
+      end
+
+      Invidious::Database::PlaylistVideos.delete(index, playlist_id)
       Invidious::Database::Playlists.update_video_removed(playlist_id, index)
     when "move_video_before"
       # TODO: Playlist stub