From b342d7c9c5be1fe7626504bdfbcfae249bc26326 Mon Sep 17 00:00:00 2001
From: Jonathan Barrow <jonbarrow1998@gmail.com>
Date: Mon, 17 Mar 2025 18:37:19 -0400
Subject: [PATCH] fix: fix blogpost and terms name checks

---
 src/routes/blog.js  | 6 ++++++
 src/routes/terms.js | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/src/routes/blog.js b/src/routes/blog.js
index 2c07097..9d1c71a 100644
--- a/src/routes/blog.js
+++ b/src/routes/blog.js
@@ -69,6 +69,12 @@ router.get('/:slug', async (request, response, next) => {
 	// Get the name of the post from the URL
 	const postName = request.params.slug;
 
+	if (!/^[0-9-]+$/.test(postName)) {
+		logger.error(`Invalid blog post name name ${postName}`);
+		next();
+		return;
+	}
+
 	// Get the markdown file corresponding to the post
 	let rawPost;
 	try {
diff --git a/src/routes/terms.js b/src/routes/terms.js
index 0307a05..40027e8 100644
--- a/src/routes/terms.js
+++ b/src/routes/terms.js
@@ -14,6 +14,12 @@ router.get('/:slug', async (request, response, next) => {
 
 	const termName = request.params.slug;
 
+	if (!/^[a-z]+$/.test(termName)) {
+		logger.error(`Invalid term name ${termName}`);
+		next();
+		return;
+	}
+
 	let rawTerm;
 	try {
 		rawTerm = await fs.readFile(path.join('terms', `${termName}.md`), 'utf-8');