fix(transcription): UUID-guard saveBlock path interpolation

Sina #5505 concern 1: doc.id and blockId are server-trusted today, but the path-interpolation pattern is repeated three times across the route and the autosave hook. Validate both ids against the standard UUID regex before any fetch fires so a future feature taking user-supplied ids cannot silently introduce a path-injection vector. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-29 01:09:52 +02:00
parent 362a84dde9
commit 43aacd9f60
1 changed files with 9 additions and 0 deletions
--- a/frontend/src/routes/documents/[id]/+page.svelte
+++ b/frontend/src/routes/documents/[id]/+page.svelte
@@ -88,11 +88,20 @@ async function loadTranscriptionBlocks() {
 	}
 }

+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+
 async function saveBlock(
 	blockId: string,
 	text: string,
 	mentionedPersons: import('$lib/types').PersonMention[]
 ) {
+	// Path-injection defence in depth (Sina #5505): both ids are server-controlled
+	// today, but reject anything that isn't a UUID before interpolating it into
+	// the URL — a future feature accepting user-supplied ids must not silently
+	// bypass this check.
+	if (!UUID_RE.test(doc.id) || !UUID_RE.test(blockId)) {
+		throw new Error(`Invalid id for save: doc=${doc.id} block=${blockId}`);
+	}
 	const res = await fetch(`/api/documents/${doc.id}/transcription-blocks/${blockId}`, {
 		method: 'PUT',
 		headers: { 'Content-Type': 'application/json' },