From 25aa05411f2770d5ac81e0fc2bcd49802aedffef Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 15 Apr 2026 09:39:24 +0200
Subject: [PATCH] fix(server): allowlist dir param in page.server.ts

Mirrors the existing sort allowlist pattern. Any value other than 'asc' or
'desc' silently falls back to 'desc', preventing arbitrary strings from
reaching the search API.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/routes/+page.server.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts
index def3534f..da2a12e2 100644
--- a/frontend/src/routes/+page.server.ts
+++ b/frontend/src/routes/+page.server.ts
@@ -19,7 +19,12 @@ export async function load({ url, fetch }) {
 	const sort: ValidSort = (VALID_SORTS as readonly string[]).includes(rawSort)
 		? (rawSort as ValidSort)
 		: 'DATE';
-	const dir = url.searchParams.get('dir') || 'desc';
+	const VALID_DIRS = ['asc', 'desc'] as const;
+	type ValidDir = (typeof VALID_DIRS)[number];
+	const rawDir = url.searchParams.get('dir') ?? 'desc';
+	const dir: ValidDir = (VALID_DIRS as readonly string[]).includes(rawDir)
+		? (rawDir as ValidDir)
+		: 'desc';
 	const tagQ = url.searchParams.get('tagQ') || '';
 
 	const isDashboard = !q && !from && !to && !senderId && !receiverId && !tags.length && !tagQ;