Skip to content

Commit cb100d5

Browse files
gregbergegregberge
authored
Allow only valid values for theme query string (#2745)
1 parent 1fcc807 commit cb100d5

File tree

3 files changed

+22
-3
lines changed

3 files changed

+22
-3
lines changed

.changeset/loud-files-tap.md

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'gitbook': patch
3+
---
4+
5+
Allow only good values for theme query parameter. Avoid having a 500 error when we pass an invalid value.

packages/gitbook/src/lib/api.ts

+12
Original file line numberDiff line numberDiff line change
@@ -876,6 +876,18 @@ export async function getSiteData(
876876
};
877877
}
878878

879+
/**
880+
* Validate that the customization settings passed are valid.
881+
*/
882+
export function validateSerializedCustomization(raw: string): boolean {
883+
try {
884+
rison.decode_object(raw);
885+
return true;
886+
} catch {
887+
return false;
888+
}
889+
}
890+
879891
/**
880892
* Get the customization settings for a space from the API.
881893
*/

packages/gitbook/src/middleware.ts

+5-3
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
1-
import { ContentAPITokenPayload, GitBookAPI } from '@gitbook/api';
1+
import { ContentAPITokenPayload, CustomizationThemeMode, GitBookAPI } from '@gitbook/api';
22
import { setTag, setContext } from '@sentry/nextjs';
33
import assertNever from 'assert-never';
44
import jwt from 'jsonwebtoken';
55
import type { ResponseCookie } from 'next/dist/compiled/@edge-runtime/cookies';
66
import { NextResponse, NextRequest } from 'next/server';
77
import hash from 'object-hash';
8+
import rison from 'rison';
89

910
import {
1011
PublishedContentWithCache,
@@ -17,6 +18,7 @@ import {
1718
DEFAULT_API_ENDPOINT,
1819
getPublishedContentSite,
1920
getSiteData,
21+
validateSerializedCustomization,
2022
} from '@/lib/api';
2123
import { race } from '@/lib/async';
2224
import { buildVersion } from '@/lib/build';
@@ -259,12 +261,12 @@ export async function middleware(request: NextRequest) {
259261
}
260262

261263
const customization = url.searchParams.get('customization');
262-
if (customization) {
264+
if (customization && validateSerializedCustomization(customization)) {
263265
headers.set('x-gitbook-customization', customization);
264266
}
265267

266268
const theme = url.searchParams.get('theme');
267-
if (theme) {
269+
if (theme === CustomizationThemeMode.Dark || theme === CustomizationThemeMode.Light) {
268270
headers.set('x-gitbook-theme', theme);
269271
}
270272

0 commit comments

Comments
 (0)