From 45a50dc906c90f342d8422e5451d478014b7166c Mon Sep 17 00:00:00 2001
From: Davide Grilli <davide.grilli@outlook.com>
Date: Tue, 19 May 2026 10:10:34 +0200
Subject: [PATCH] fix(security): whitelist allowed keys in admin settings
 endpoint

Reject any key not in the explicit allowlist before writing to the database,
preventing arbitrary configuration injection by a malicious admin.
---
 app/src/app/api/admin/settings/route.ts | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/app/src/app/api/admin/settings/route.ts b/app/src/app/api/admin/settings/route.ts
index 9db69f3..504e63f 100644
--- a/app/src/app/api/admin/settings/route.ts
+++ b/app/src/app/api/admin/settings/route.ts
@@ -2,6 +2,17 @@ import { NextRequest, NextResponse } from 'next/server'
 import { prisma } from '@/lib/prisma'
 import { getCurrentUser } from '@/lib/auth'
 
+const ALLOWED_SETTING_KEYS = [
+  'site_name',
+  'site_description',
+  'support_email',
+  'currency',
+  'tax_rate',
+  'footer_copyright',
+  'footer_links',
+  'favicon_url',
+] as const
+
 async function requireAdmin() {
   const user = await getCurrentUser()
   if (!user || (user.role !== 'ADMIN' && user.role !== 'OWNER')) return null
@@ -40,6 +51,10 @@ export async function POST(request: NextRequest) {
 
   if (!key) return NextResponse.json({ error: 'Key is required' }, { status: 400 })
 
+  if (!ALLOWED_SETTING_KEYS.includes(key as (typeof ALLOWED_SETTING_KEYS)[number])) {
+    return NextResponse.json({ error: 'Invalid setting key' }, { status: 400 })
+  }
+
   const setting = await prisma.siteSettings.upsert({
     where: { key },
     update: { value: value as object },