From 315ddb17c1de9c90da4d43788b12e42301731448 Mon Sep 17 00:00:00 2001
From: dumbmoron <log@riseup.net>
Date: Sat, 6 Jul 2024 08:59:02 +0000
Subject: [PATCH] web/onDemand: check blockId is string, early return if not

---
 src/core/web.js | 69 +++++++++++++++++++++++++------------------------
 1 file changed, 35 insertions(+), 34 deletions(-)

diff --git a/src/core/web.js b/src/core/web.js
index 9a281c47..d892c56c 100644
--- a/src/core/web.js
+++ b/src/core/web.js
@@ -26,45 +26,46 @@ export async function runWeb(express, app, gitCommit, gitBranch, __dirname) {
 
     app.get('/onDemand', (req, res) => {
         try {
-            if (req.query.blockId) {
-                let blockId = req.query.blockId.slice(0, 3);
-                let blockData;
-                switch(blockId) {
-                    // changelog history
-                    case "0":
-                        let history = changelogHistory();
-                        if (history) {
-                            blockData = createResponse("success", { t: history })
-                        } else {
-                            blockData = createResponse("error", {
-                                t: "couldn't render this block, please try again!"
-                            })
-                        }
-                        break;
-                    // celebrations emoji
-                    case "1":
-                        let celebration = celebrationsEmoji();
-                        if (celebration) {
-                            blockData = createResponse("success", { t: celebration })
-                        }
-                        break;
-                    default:
-                        blockData = createResponse("error", {
-                            t: "couldn't find a block with this id"
-                        })
-                        break;
-                }
-                if (blockData?.body) {
-                    return res.status(blockData.status).json(blockData.body);
-                } else {
-                    return res.status(204).end();
-                }
-            } else {
+            if (typeof req.query.blockId !== 'string') {
                 return res.status(400).json({
                     status: "error",
                     text: "couldn't render this block, please try again!"
                 });
             }
+
+            let blockId = req.query.blockId.slice(0, 3);
+            let blockData;
+            switch(blockId) {
+                // changelog history
+                case "0":
+                    let history = changelogHistory();
+                    if (history) {
+                        blockData = createResponse("success", { t: history })
+                    } else {
+                        blockData = createResponse("error", {
+                            t: "couldn't render this block, please try again!"
+                        })
+                    }
+                    break;
+                // celebrations emoji
+                case "1":
+                    let celebration = celebrationsEmoji();
+                    if (celebration) {
+                        blockData = createResponse("success", { t: celebration })
+                    }
+                    break;
+                default:
+                    blockData = createResponse("error", {
+                        t: "couldn't find a block with this id"
+                    })
+                    break;
+            }
+
+            if (blockData?.body) {
+                return res.status(blockData.status).json(blockData.body);
+            } else {
+                return res.status(204).end();
+            }
         } catch {
             return res.status(400).json({
                 status: "error",