From c8ff812643e051cb63a1f6ca822afd53cf0062ef Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Fri, 13 Jun 2025 14:42:45 -0500
Subject: [PATCH] catch for overly nested params with upload hash

---
 app/api.rb         |  7 +++++++
 tests/api_tests.rb | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/app/api.rb b/app/api.rb
index f476003b..6fa1ac3e 100644
--- a/app/api.rb
+++ b/app/api.rb
@@ -9,6 +9,13 @@ post '/api/upload_hash' do
   require_api_credentials
   res = {}
   files = []
+
+  params.each do |path, sha1_hash|
+    unless sha1_hash.is_a?(String)
+      api_error 400, 'nested_parameters_not_allowed', 'nested parameters are not allowed; each path must directly map to a SHA-1 hash string'
+    end
+  end
+
   params.each do |k,v|
     res[k] = current_site.sha1_hash_match? k, v
   end
diff --git a/tests/api_tests.rb b/tests/api_tests.rb
index a0527d0b..bc530459 100644
--- a/tests/api_tests.rb
+++ b/tests/api_tests.rb
@@ -241,6 +241,24 @@ describe 'api' do
       _(res[:files][:'test.jpg']).must_equal true
       _(res[:files][:'test2.jpg']).must_equal false
     end
+
+    it 'rejects nested parameter structures' do
+      create_site
+      basic_authorize @user, @pass
+
+      post '/api/upload_hash', {
+        "one/two" => {
+          "three" => {
+            ".jpg" => "196b99a0ab80d1fc2e7caf49d98e8dd76db25c72"
+          }
+        }
+      }
+
+      _(last_response.status).must_equal 400
+      _(res[:result]).must_equal 'error'
+      _(res[:error_type]).must_equal 'nested_parameters_not_allowed'
+      _(res[:message]).must_equal 'nested parameters are not allowed; each path must directly map to a SHA-1 hash string'
+    end
   end
 
   describe 'rename' do