fix(security): harden input validation schemas and fix SSR sanitize bypass

- blueprint rolePresets: cap array at 100 items to prevent storage abuse - notification CreateManagedNotification: add .max() on title (500), body (2000), type (100), entityType/entityId (200), link (1000), taskAction (200) - settings: add .max() on all string config fields; add regex allowlist (/^[a-zA-Z0-9._-]+$/) on model name fields (geminiModel, azureDalleDeployment, azureOpenAiDeployment) to prevent path manipulation - sanitizeHtml: fix SSR bypass — server-side branch now strips HTML tags instead of returning the raw string unchanged Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-09 21:38:16 +02:00
parent df191d1e03
commit 1833182e90
4 changed files with 25 additions and 22 deletions
@@ -54,7 +54,7 @@ export const blueprintUpdateInputSchema = z.object({

 export const blueprintRolePresetsInputSchema = z.object({
  id: z.string(),
-  rolePresets: z.array(z.unknown()),
+  rolePresets: z.array(z.unknown()).max(100),
 });

 export const blueprintBatchDeleteInputSchema = z.object({