codeql sanitize

2025-01-04 03:00:50 -05:00 · 2025-01-04 03:00:50 -05:00 · 4fe9bda070
commit 4fe9bda070
parent bc85d7a1e5
1 changed files with 5 additions and 5 deletions
--- a/src/serve_style.js
+++ b/src/serve_style.js
@ -100,13 +100,14 @@ export const serve_style = {
     */
    app.get(`/:id/sprite{/:spriteID}{@:scale}{.:format}`, (req, res, next) => {
      const { spriteID = 'default', id, format, scale } = req.params;
+      const sanitizedId = String(id);
      const sanitizedScale = scale ? String(scale) : '';
      const sanitizedSpriteID = String(spriteID);
      const sanitizedFormat = format ? '.' + String(format) : '';
      if (verbose) {
        console.log(
          `Handling sprite request for: /styles/%s/sprite/%s%s%s`,
-          id,
+          sanitizedId,
          sanitizedSpriteID,
          sanitizedScale,
          sanitizedFormat,
@ -118,7 +119,7 @@ export const serve_style = {
        if (verbose)
          console.error(
            `Sprite item, format, or scale not found for: /styles/%s/sprite/%s%s%s`,
-            id,
+            sanitizedId,
            sanitizedSpriteID,
            sanitizedScale,
            sanitizedFormat,
@ -132,7 +133,7 @@ export const serve_style = {
        if (verbose)
          console.error(
            `Sprite not found for: /styles/%s/sprite/%s%s%s`,
-            id,
+            sanitizedId,
            sanitizedSpriteID,
            sanitizedScale,
            sanitizedFormat,
@ -155,7 +156,6 @@ export const serve_style = {
            );
          return res.sendStatus(404);
        }
-
        if (validatedFormat === 'json') {
          res.header('Content-type', 'application/json');
        } else if (validatedFormat === 'png') {
@ -164,7 +164,7 @@ export const serve_style = {
        if (verbose)
          console.log(
            `Responding with sprite data for /styles/%s/sprite/%s%s%s`,
-            id,
+            sanitizedId,
            sanitizedSpriteID,
            sanitizedScale,
            sanitizedFormat,