From 874daa816d8cf8e4466ba65bf137ce745356d95e Mon Sep 17 00:00:00 2001
From: LuisMIguelFurlanettoSousa <lfurlanettosousa@gmail.com>
Date: Tue, 24 Mar 2026 06:45:59 -0300
Subject: [PATCH] fix(security): validar chave no endpoint de leitura de
 settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

O endpoint GET /api/system/settings aceitava qualquer string como
chave sem validação, enquanto o endpoint de escrita (PATCH) já
validava contra um enum de chaves permitidas.

Adiciona getSettingSchema com a mesma validação vine.enum(SETTINGS_KEYS)
para o endpoint de leitura, rejeitando chaves fora da lista permitida.

Ref #211
---
 admin/app/controllers/settings_controller.ts | 7 +++----
 admin/app/validators/settings.ts             | 3 +++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/admin/app/controllers/settings_controller.ts b/admin/app/controllers/settings_controller.ts
index e90370d..cb3fb03 100644
--- a/admin/app/controllers/settings_controller.ts
+++ b/admin/app/controllers/settings_controller.ts
@@ -3,10 +3,9 @@ import { BenchmarkService } from '#services/benchmark_service';
 import { MapService } from '#services/map_service';
 import { OllamaService } from '#services/ollama_service';
 import { SystemService } from '#services/system_service';
-import { updateSettingSchema } from '#validators/settings';
+import { getSettingSchema, updateSettingSchema } from '#validators/settings';
 import { inject } from '@adonisjs/core';
 import type { HttpContext } from '@adonisjs/core/http'
-import type { KVStoreKey } from '../../types/kv_store.js';
 
 @inject()
 export default class SettingsController {
@@ -103,8 +102,8 @@ export default class SettingsController {
     }
 
     async getSetting({ request, response }: HttpContext) {
-        const key = request.qs().key;
-        const value = await KVStore.getValue(key as KVStoreKey);
+        const { key } = await getSettingSchema.validate({ key: request.qs().key });
+        const value = await KVStore.getValue(key);
         return response.status(200).send({ key, value });
     }
 
diff --git a/admin/app/validators/settings.ts b/admin/app/validators/settings.ts
index 3bd41a3..fff9d38 100644
--- a/admin/app/validators/settings.ts
+++ b/admin/app/validators/settings.ts
@@ -1,6 +1,9 @@
 import vine from "@vinejs/vine";
 import { SETTINGS_KEYS } from "../../constants/kv_store.js";
 
+export const getSettingSchema = vine.compile(vine.object({
+    key: vine.enum(SETTINGS_KEYS),
+}))
 
 export const updateSettingSchema = vine.compile(vine.object({
     key: vine.enum(SETTINGS_KEYS),