pass rest of appState in put request

2026-01-18 02:07:54 +05:30
parent 7c238701b7
commit a8615d9087
2 changed files with 21 additions and 15 deletions
@@ -30,7 +30,9 @@ let activeConfig: SecurityConfig = { ...defaultConfig };
 * Configure security settings
 * @param config Partial configuration to merge with defaults
 */
-export const configureSecuritySettings = (config: Partial<SecurityConfig>): void => {
+export const configureSecuritySettings = (
+  config: Partial<SecurityConfig>
+): void => {
  activeConfig = { ...activeConfig, ...config };
 };

@@ -317,13 +319,7 @@ export const appStateSchema = z
      .enum(["solid", "dashed", "dotted"])
      .optional()
      .nullable(),
-    currentItemRoundness: z
-      .object({
-        type: z.enum(["round", "sharp"]),
-        value: z.number().finite().min(0).max(1),
-      })
-      .optional()
-      .nullable(),
+    currentItemRoundness: z.enum(["sharp", "round"]).optional().nullable(),
    currentItemFontSize: z
      .number()
      .finite()
@@ -427,10 +423,19 @@ export const sanitizeDrawingData = (data: {
      ];

      // Dangerous URL protocols to block entirely
-      const dangerousProtocols = [/^javascript:/i, /^vbscript:/i, /^data:text\/html/i];
+      const dangerousProtocols = [
+        /^javascript:/i,
+        /^vbscript:/i,
+        /^data:text\/html/i,
+      ];

      // Suspicious patterns for security validation within data URLs
-      const suspiciousPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i, /<iframe/i];
+      const suspiciousPatterns = [
+        /<script/i,
+        /javascript:/i,
+        /on\w+\s*=/i,
+        /<iframe/i,
+      ];

      // Maximum size for dataURL (configurable, default 10MB to prevent DoS)
      const MAX_DATAURL_SIZE = activeConfig.maxDataUrlSize;
@@ -448,8 +453,8 @@ export const sanitizeDrawingData = (data: {
                const normalizedValue = value.toLowerCase();

                // First, check for dangerous protocols - block these entirely
-                const hasDangerousProtocol = dangerousProtocols.some((pattern) =>
-                  pattern.test(value)
+                const hasDangerousProtocol = dangerousProtocols.some(
+                  (pattern) => pattern.test(value)
                );

                if (hasDangerousProtocol) {
@@ -465,8 +470,8 @@ export const sanitizeDrawingData = (data: {

                if (isSafeImageType) {
                  // Check for suspicious content and size limits
-                  const hasSuspiciousContent = suspiciousPatterns.some((pattern) =>
-                    pattern.test(value)
+                  const hasSuspiciousContent = suspiciousPatterns.some(
+                    (pattern) => pattern.test(value)
                  );
                  const isTooLarge = value.length > MAX_DATAURL_SIZE;

@@ -570,7 +575,7 @@ const getCsrfSecret = (): Buffer => {
  const envLabel = process.env.NODE_ENV ? ` (${process.env.NODE_ENV})` : "";
  console.warn(
    `[security] CSRF_SECRET is not set${envLabel}. Using an ephemeral per-process secret. ` +
-    "For horizontal scaling (k8s), set CSRF_SECRET to the same value on all instances."
+      "For horizontal scaling (k8s), set CSRF_SECRET to the same value on all instances."
  );
  return cachedCsrfSecret;
 };
@@ -301,6 +301,7 @@ export const Editor: React.FC = () => {

    try {
      const persistableAppState = {
+        ...appState,
        viewBackgroundColor: appState?.viewBackgroundColor || '#ffffff',
        gridSize: appState?.gridSize || null,
      };