Merge pull request #2355 from nextcloud/fallback-icon

fix: Ensure context icon is valid

Author: blizzz

lib/Controller/ContextController.php

@@ -102,6 +102,9 @@ public function show(int $contextId): DataResponse {
 	#[NoAdminRequired]
 	public function create(string $name, string $iconName, string $description = '', array $nodes = []): DataResponse {
 		try {
+			if (!$this->isValidIcon($iconName)) {
+				return new DataResponse(['message' => 'Invalid icon name'], Http::STATUS_BAD_REQUEST);
+			}
 			return new DataResponse($this->contextService->create(
 				$name,
 				$iconName,
@@ -128,9 +131,10 @@ public function create(string $name, string $iconName, string $description = '',
 	 * @param ?string $description provide this parameter to set a new description
 	 * @param ?array{id: int, type: int, permissions: int, order: int} $nodes provide this parameter to set a new list of nodes.
 	 *
-	 * @return DataResponse<Http::STATUS_OK, TablesContext, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND|Http::STATUS_FORBIDDEN, array{message: string}, array{}>
+	 * @return DataResponse<Http::STATUS_OK, TablesContext, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND|Http::STATUS_FORBIDDEN|Http::STATUS_BAD_REQUEST, array{message: string}, array{}>
 	 *
 	 * 200: returning the full context information
+	 * 400: bad request
 	 * 403: No permissions
 	 * 404: Not found
 	 *
@@ -139,6 +143,9 @@ public function create(string $name, string $iconName, string $description = '',
 	#[NoAdminRequired]
 	public function update(int $contextId, ?string $name, ?string $iconName, ?string $description, ?array $nodes): DataResponse {
 		try {
+			if ($iconName !== null && !$this->isValidIcon($iconName)) {
+				return new DataResponse(['message' => 'Invalid icon name'], Http::STATUS_BAD_REQUEST);
+			}
 			$nodes = $nodes !== null ? $this->sanitizeInputNodes($nodes) : null;
 			return new DataResponse($this->contextService->update(
 				$contextId,
@@ -271,6 +278,14 @@ public function updateContentOrder(int $contextId, int $pageId, array $content):
 		return new DataResponse($this->contextService->updateContentOrder($pageId, $content));
 	}
 
+	protected function isValidIcon(string $iconName): bool {
+		if ($iconName === '' || !preg_match('/^[a-zA-Z0-9-]+$/', $iconName)) {
+			return false;
+		}
+		$iconPath = dirname(__DIR__, 2) . '/img/material/' . $iconName . '.svg';
+		return file_exists($iconPath);
+	}
+
 	/**
 	 * @param Context[] $contexts
 	 * @return array

openapi.json

@@ -11155,6 +11155,44 @@
                             }
                         }
                     },
+                    "400": {
+                        "description": "bad request",
+                        "content": {
+                            "application/json": {
+                                "schema": {
+                                    "type": "object",
+                                    "required": [
+                                        "ocs"
+                                    ],
+                                    "properties": {
+                                        "ocs": {
+                                            "type": "object",
+                                            "required": [
+                                                "meta",
+                                                "data"
+                                            ],
+                                            "properties": {
+                                                "meta": {
+                                                    "$ref": "#/components/schemas/OCSMeta"
+                                                },
+                                                "data": {
+                                                    "type": "object",
+                                                    "required": [
+                                                        "message"
+                                                    ],
+                                                    "properties": {
+                                                        "message": {
+                                                            "type": "string"
+                                                        }
+                                                    }
+                                                }
+                                            }
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    },
                     "401": {
                         "description": "Current user is not logged in",
                         "content": {

src/shared/components/ncIconPicker/mixins/svgHelper.js

@@ -5,11 +5,18 @@
 export default {
 	methods: {
 		async getContextIcon(iconName) {
-			const { default: icon } = await import(
-				`./../../../../../img/material/${iconName}.svg?raw`
-			)
+			try {
+				const { default: icon } = await import(
+					`./../../../../../img/material/${iconName}.svg?raw`
+				)
 
-			return icon.replaceAll(/#fff/g, 'currentColor')
+				return icon.replaceAll(/#fff/g, 'currentColor')
+			} catch (e) {
+				if (iconName !== 'apps') {
+					return this.getContextIcon('apps')
+				}
+				throw e
+			}
 		},
 	},
 }

src/types/openapi/openapi.ts

@@ -6359,6 +6359,22 @@ export interface operations {
                     };
                 };
             };
+            /** @description bad request */
+            readonly 400: {
+                headers: {
+                    readonly [name: string]: unknown;
+                };
+                content: {
+                    readonly "application/json": {
+                        readonly ocs: {
+                            readonly meta: components["schemas"]["OCSMeta"];
+                            readonly data: {
+                                readonly message: string;
+                            };
+                        };
+                    };
+                };
+            };
             /** @description Current user is not logged in */
             readonly 401: {
                 headers: {