Refactor theme and language validation to use basic format checks instead of allowlists

2026-02-28 20:30:11 +01:00
parent c281628fdc
commit 1cff066c17
3 changed files with 12 additions and 15 deletions
--- a/server/routes/branding.js
+++ b/server/routes/branding.js
@@ -5,14 +5,13 @@ import fs from 'fs';
 import { fileURLToPath } from 'url';
 import { getDb } from '../config/database.js';
 import { authenticateToken, requireAdmin } from '../middleware/auth.js';
-import { themes } from '../../src/themes/index.js';

 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);

 const router = Router();

-const VALID_THEMES = new Set(themes.map(t => t.id));
+const SAFE_ID_RE = /^[a-zA-Z0-9_-]{1,50}$/;

 // Ensure uploads/branding directory exists
 const brandingDir = path.join(__dirname, '..', '..', 'uploads', 'branding');
@@ -180,8 +179,8 @@ router.put('/default-theme', authenticateToken, requireAdmin, async (req, res) =
    if (!defaultTheme || !defaultTheme.trim()) {
      return res.status(400).json({ error: 'defaultTheme is required' });
    }
-    // H4: validate against known theme IDs
-    if (!VALID_THEMES.has(defaultTheme.trim())) {
+    // Basic format validation for theme ID
+    if (!SAFE_ID_RE.test(defaultTheme.trim())) {
      return res.status(400).json({ error: 'Invalid theme' });
    }
    await setSetting('default_theme', defaultTheme.trim());