fix(security): validate key parameter on settings read endpoint#517

Co-authored-by: Jake Turner <52841588+jakeaturner@users.noreply.github.com>
2026-04-02 23:09:26 +02:00 · 2026-04-01 18:56:19 -03:00 · 2026-04-01 18:56:19 -03:00 · 27e6c2308a
commit 27e6c2308a
parent cd9a78b473
2 changed files with 7 additions and 4 deletions
--- a/admin/app/controllers/settings_controller.ts
+++ b/admin/app/controllers/settings_controller.ts
@ -3,7 +3,7 @@ import { BenchmarkService } from '#services/benchmark_service'
 import { MapService } from '#services/map_service'
 import { OllamaService } from '#services/ollama_service'
 import { SystemService } from '#services/system_service'
-import { updateSettingSchema } from '#validators/settings'
+import { getSettingSchema, updateSettingSchema } from '#validators/settings'
 import { inject } from '@adonisjs/core'
 import type { HttpContext } from '@adonisjs/core/http'
 import type { KVStoreKey } from '../../types/kv_store.js'
@ -110,9 +110,9 @@ export default class SettingsController {
  }

  async getSetting({ request, response }: HttpContext) {
-    const key = request.qs().key
-    const value = await KVStore.getValue(key as KVStoreKey)
-    return response.status(200).send({ key, value })
+    const { key } = await getSettingSchema.validate({ key: request.qs().key });
+    const value = await KVStore.getValue(key);
+    return response.status(200).send({ key, value });
  }

  async updateSetting({ request, response }: HttpContext) {
--- a/admin/app/validators/settings.ts
+++ b/admin/app/validators/settings.ts
@ -1,6 +1,9 @@
 import vine from "@vinejs/vine";
 import { SETTINGS_KEYS } from "../../constants/kv_store.js";

+export const getSettingSchema = vine.compile(vine.object({
+    key: vine.enum(SETTINGS_KEYS),
+}))

 export const updateSettingSchema = vine.compile(vine.object({
    key: vine.enum(SETTINGS_KEYS),