Skip to content

Commit bf41044

Browse files
committed
Security Hardening: Check secret variable key names for illegal strings (i.e. __proto__ and the like).
1 parent eb23ba4 commit bf41044

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

htdocs/js/pages/admin/Secrets.class.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -635,6 +635,9 @@ Page.Secrets = class Secrets extends Page.PageUtils {
635635
if (!variable.name.match(/^[A-Za-z_]\w*$/)) {
636636
return app.badField('fe_sev_name', "Please enter a valid variable name (must follow POSIX environment variable rules).");
637637
}
638+
if (variable.name.match(app.MATCH_BAD_KEY)) {
639+
return app.badField('fe_sev_name', "Please enter a valid variable name (illegal key).");
640+
}
638641

639642
// if user enters a new dupe name, just silently replace existing
640643
if (idx == -1) idx = find_object_idx( self.fields, { name: variable.name } );

0 commit comments

Comments
 (0)