davide/ecommerce-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): whitelist allowed keys in admin settings endpoint

Browse Source 
Reject any key not in the explicit allowlist before writing to the database,
preventing arbitrary configuration injection by a malicious admin.
This commit is contained in:
Davide Grilli
2026-05-19 10:10:34 +02:00
parent fcfa0707a1
commit 45a50dc906
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/src/app/api/admin/settings/route.ts
+15
View File
@@ -2,6 +2,17 @@ import { NextRequest, NextResponse } from 'next/server'
import { prisma } from '@/lib/prisma' import { prisma } from '@/lib/prisma'
import { getCurrentUser } from '@/lib/auth' import { getCurrentUser } from '@/lib/auth'
const ALLOWED_SETTING_KEYS = [
'site_name',
'site_description',
'support_email',
'currency',
'tax_rate',
'footer_copyright',
'footer_links',
'favicon_url',
] as const
async function requireAdmin() { async function requireAdmin() {
const user = await getCurrentUser() const user = await getCurrentUser()
if (!user || (user.role !== 'ADMIN' && user.role !== 'OWNER')) return null if (!user || (user.role !== 'ADMIN' && user.role !== 'OWNER')) return null
@@ -40,6 +51,10 @@ export async function POST(request: NextRequest) {
if (!key) return NextResponse.json({ error: 'Key is required' }, { status: 400 }) if (!key) return NextResponse.json({ error: 'Key is required' }, { status: 400 })
if (!ALLOWED_SETTING_KEYS.includes(key as (typeof ALLOWED_SETTING_KEYS)[number])) {
return NextResponse.json({ error: 'Invalid setting key' }, { status: 400 })
}
const setting = await prisma.siteSettings.upsert({ const setting = await prisma.siteSettings.upsert({
where: { key }, where: { key },
update: { value: value as object }, update: { value: value as object },