From a51c134da73263e5c826ec391a38b8f25b264edf Mon Sep 17 00:00:00 2001 From: teernisse Date: Fri, 30 Jan 2026 09:34:29 -0500 Subject: [PATCH] Harden API layer: encode session IDs and validate export payload Session fetch (useSession.ts): - Wrap the session ID in encodeURIComponent before interpolating into the fetch URL. Session IDs can contain characters like '+' or '/' that would corrupt the path without encoding. Export route (export.ts): - Add validation that redactedMessageUuids, when present, is an array. Previously only visibleMessageUuids was checked, so a malformed redactedMessageUuids value (e.g. a string or object) would silently pass validation and potentially cause downstream type errors in the HTML exporter. Co-Authored-By: Claude Opus 4.5 --- src/client/hooks/useSession.ts | 2 +- src/server/routes/export.ts | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/client/hooks/useSession.ts b/src/client/hooks/useSession.ts index 68f5b92..08e7e9b 100644 --- a/src/client/hooks/useSession.ts +++ b/src/client/hooks/useSession.ts @@ -42,7 +42,7 @@ export function useSession(): SessionState { setSessionLoading(true); setSessionError(null); try { - const res = await fetch(`/api/sessions/${id}`); + const res = await fetch(`/api/sessions/${encodeURIComponent(id)}`); if (!res.ok) throw new Error(`HTTP ${res.status}`); const data = await res.json(); setCurrentSession(data); diff --git a/src/server/routes/export.ts b/src/server/routes/export.ts index 35c5379..791c338 100644 --- a/src/server/routes/export.ts +++ b/src/server/routes/export.ts @@ -10,7 +10,9 @@ exportRouter.post("/", async (req, res) => { if ( !exportReq?.session?.messages || !Array.isArray(exportReq.session.messages) || - !Array.isArray(exportReq.visibleMessageUuids) + !Array.isArray(exportReq.visibleMessageUuids) || + (exportReq.redactedMessageUuids !== undefined && + !Array.isArray(exportReq.redactedMessageUuids)) ) { res.status(400).json({ error: "Invalid export request: missing session, messages, or visibleMessageUuids" }); return;