Fix #22572 Invalid query for random string (#22573)

* Fix #22572 Invalid query for random string * Add changeset * Run prettier * Fix unit tests warnings * redo validation with Joi * make validation on object level documents itself and is cleaner to expand on * Update changeset * Allow integer only * Require min value of 1 * Report as query error, ignore unknown queries --------- Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
2026-04-25 03:00:53 -04:00 · 2024-05-26 15:13:17 +02:00
parent 76c8a635f1
commit 7d2a1392f4
3 changed files with 15 additions and 8 deletions
--- a/api/src/controllers/utils.ts
+++ b/api/src/controllers/utils.ts
@@ -14,18 +14,20 @@ import { sanitizeQuery } from '../utils/sanitize-query.js';

 const router = Router();

+const randomStringSchema = Joi.object<{ length: number }>({
+	length: Joi.number().integer().min(1).max(500).default(32),
+});
+
 router.get(
 	'/random/string',
 	asyncHandler(async (req, res) => {
 		const { nanoid } = await import('nanoid');

-		if (req.query && req.query['length'] && Number(req.query['length']) > 500) {
-			throw new InvalidQueryError({ reason: `"length" can't be more than 500 characters` });
-		}
+		const { error, value } = randomStringSchema.validate(req.query, { allowUnknown: true });

-		const string = nanoid(req.query?.['length'] ? Number(req.query['length']) : 32);
+		if (error) throw new InvalidQueryError({ reason: error.message });

-		return res.json({ data: string });
+		return res.json({ data: nanoid(value.length) });
 	}),
 );

--- a/api/src/services/graphql/index.ts
+++ b/api/src/services/graphql/index.ts
@@ -2536,11 +2536,11 @@ export class GraphQLService {
 				resolve: async (_, args) => {
 					const { nanoid } = await import('nanoid');

-					if (args['length'] && Number(args['length']) > 500) {
-						throw new InvalidPayloadError({ reason: `"length" can't be more than 500 characters` });
+					if (args['length'] !== undefined && (args['length'] < 1 || args['length'] > 500)) {
+						throw new InvalidPayloadError({ reason: `"length" must be between 1 and 500` });
 					}

-					return nanoid(args['length'] ? Number(args['length']) : 32);
+					return nanoid(args['length'] ? args['length'] : 32);
 				},
 			},
 			utils_hash_generate: {