From c2f95ab2d733b46c32acb5de14da63341e208462 Mon Sep 17 00:00:00 2001
From: acalcutt <acalcutt@techidiots.net>
Date: Sat, 4 Jan 2025 22:47:32 -0500
Subject: [PATCH] codeql

---
 src/serve_style.js |  5 ++++-
 src/utils.js       | 10 ++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/serve_style.js b/src/serve_style.js
index 68c6319..63d7df4 100644
--- a/src/serve_style.js
+++ b/src/serve_style.js
@@ -54,7 +54,10 @@ export const serve_style = {
     app.get('/:id/style.json', (req, res, next) => {
       const { id } = req.params;
       if (verbose) {
-        console.log('Handling style request for: /styles/%s/style.json', id);
+        console.log(
+          'Handling style request for: /styles/%s/style.json',
+          String(id),
+        );
       }
       try {
         const item = repo[id];
diff --git a/src/utils.js b/src/utils.js
index 0566dcb..354b35c 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -209,11 +209,17 @@ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) {
         return reject('Invalid font name');
       }
 
+      const rangeMatch = range?.match(/^[\d-]+$/);
+      const sanitizedRange = rangeMatch?.[0] || 'invalid';
       if (!/^\d+-\d+$/.test(range)) {
-        console.error('ERROR: Invalid range: %s', range);
+        console.error('ERROR: Invalid range: %s', sanitizedRange);
         return reject('Invalid range');
       }
-      const filename = path.join(fontPath, sanitizedName, `${range}.pbf`);
+      const filename = path.join(
+        fontPath,
+        sanitizedName,
+        `${sanitizedRange}.pbf`,
+      );
       if (!fallbacks) {
         fallbacks = clone(allowedFonts || {});
       }