fix(security): validate key parameter on settings read endpoint#517

Co-authored-by: Jake Turner <52841588+jakeaturner@users.noreply.github.com>

admin/app/controllers/settings_controller.ts

@@ -3,7 +3,7 @@ import { BenchmarkService } from '#services/benchmark_service'
 import { MapService } from '#services/map_service'
 import { OllamaService } from '#services/ollama_service'
 import { SystemService } from '#services/system_service'
-import { updateSettingSchema } from '#validators/settings'
+import { getSettingSchema, updateSettingSchema } from '#validators/settings'
 import { inject } from '@adonisjs/core'
 import type { HttpContext } from '@adonisjs/core/http'
 import type { KVStoreKey } from '../../types/kv_store.js'
@@ -110,9 +110,9 @@ export default class SettingsController {
   }
 
   async getSetting({ request, response }: HttpContext) {
-    const key = request.qs().key
+    const { key } = await getSettingSchema.validate({ key: request.qs().key });
-    const value = await KVStore.getValue(key as KVStoreKey)
+    const value = await KVStore.getValue(key);
-    return response.status(200).send({ key, value })
+    return response.status(200).send({ key, value });
   }
 
   async updateSetting({ request, response }: HttpContext) {

admin/app/validators/settings.ts

@@ -1,6 +1,9 @@
 import vine from "@vinejs/vine";
 import { SETTINGS_KEYS } from "../../constants/kv_store.js";
 
+export const getSettingSchema = vine.compile(vine.object({
+    key: vine.enum(SETTINGS_KEYS),
+}))
 
 export const updateSettingSchema = vine.compile(vine.object({
     key: vine.enum(SETTINGS_KEYS),