From e1cae331b9bd031f0be944938e83b9ade7ff914e Mon Sep 17 00:00:00 2001
From: acalcutt <acalcutt@techidiots.net>
Date: Fri, 3 Jan 2025 23:40:30 -0500
Subject: [PATCH] codeql serve fonts

---
 src/serve_font.js | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/serve_font.js b/src/serve_font.js
index 020d6d5..ec0b424 100644
--- a/src/serve_font.js
+++ b/src/serve_font.js
@@ -32,10 +32,18 @@ export async function serve_font(options, allowedFonts, programOpts) {
   app.get('/fonts/:fontstack/:range.pbf', async (req, res) => {
     if (verbose) {
       console.log(
-        `Handling font request for: /fonts/${req.params.fontstack}/${req.params.range}.pbf`,
+        `Handling font request for: /fonts/%s/%s.pbf`,
+        req.params.fontstack,
+        req.params.range,
       );
     }
-    const fontstack = decodeURI(req.params.fontstack);
+    let fontstack = req.params.fontstack;
+    const fontStackMatch = fontstack?.match(/^[\w\s-]+$/);
+    if (!fontStackMatch) {
+      return res.status(400).send('Invalid font stack format');
+    }
+    fontstack = decodeURI(fontStackMatch[0]);
+
     const range = req.params.range;
 
     try {
@@ -51,7 +59,12 @@ export async function serve_font(options, allowedFonts, programOpts) {
       res.header('Last-Modified', lastModified);
       return res.send(concatenated);
     } catch (err) {
-      console.error(`Error serving font: ${fontstack}/${range}.pbf`, err);
+      console.error(
+        `Error serving font: %s/%s.pbf, Error: %s`,
+        fontstack,
+        range,
+        String(err),
+      );
       return res
         .status(400)
         .header('Content-Type', 'text/plain')