From b183bc67450a6aec21986c91251d14f706a3a4f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lu=C3=ADs=20Miguel?=
 <148079567+LuisMIguelFurlanettoSousa@users.noreply.github.com>
Date: Wed, 1 Apr 2026 18:56:19 -0300
Subject: [PATCH] fix(security): validate key parameter on settings read
 endpoint#517

Co-authored-by: Jake Turner <52841588+jakeaturner@users.noreply.github.com>
---
 admin/app/controllers/settings_controller.ts | 8 ++++----
 admin/app/validators/settings.ts             | 3 +++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/admin/app/controllers/settings_controller.ts b/admin/app/controllers/settings_controller.ts
index 9ae965e..3e32151 100644
--- a/admin/app/controllers/settings_controller.ts
+++ b/admin/app/controllers/settings_controller.ts
@@ -3,7 +3,7 @@ import { BenchmarkService } from '#services/benchmark_service'
 import { MapService } from '#services/map_service'
 import { OllamaService } from '#services/ollama_service'
 import { SystemService } from '#services/system_service'
-import { updateSettingSchema } from '#validators/settings'
+import { getSettingSchema, updateSettingSchema } from '#validators/settings'
 import { inject } from '@adonisjs/core'
 import type { HttpContext } from '@adonisjs/core/http'
 import type { KVStoreKey } from '../../types/kv_store.js'
@@ -110,9 +110,9 @@ export default class SettingsController {
   }
 
   async getSetting({ request, response }: HttpContext) {
-    const key = request.qs().key
-    const value = await KVStore.getValue(key as KVStoreKey)
-    return response.status(200).send({ key, value })
+    const { key } = await getSettingSchema.validate({ key: request.qs().key });
+    const value = await KVStore.getValue(key);
+    return response.status(200).send({ key, value });
   }
 
   async updateSetting({ request, response }: HttpContext) {
diff --git a/admin/app/validators/settings.ts b/admin/app/validators/settings.ts
index 3bd41a3..fff9d38 100644
--- a/admin/app/validators/settings.ts
+++ b/admin/app/validators/settings.ts
@@ -1,6 +1,9 @@
 import vine from "@vinejs/vine";
 import { SETTINGS_KEYS } from "../../constants/kv_store.js";
 
+export const getSettingSchema = vine.compile(vine.object({
+    key: vine.enum(SETTINGS_KEYS),
+}))
 
 export const updateSettingSchema = vine.compile(vine.object({
     key: vine.enum(SETTINGS_KEYS),