From feed827223bf78e25f8ca015af57f76d46fecc3e Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Fri, 10 Oct 2025 18:00:37 -0500
Subject: [PATCH] Update settings update endpoint to validate allowedOrigins is
 array

---
 server/controllers/MiscController.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/controllers/MiscController.js b/server/controllers/MiscController.js
index c779bdd63..490cb27d2 100644
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@@ -142,6 +142,9 @@ class MiscController {
       Logger.warn('Cannot disable iframe when ALLOW_IFRAME is enabled in environment')
       return res.status(400).send('Cannot disable iframe when ALLOW_IFRAME is enabled in environment')
     }
+    if (settingsUpdate.allowedOrigins && !Array.isArray(settingsUpdate.allowedOrigins)) {
+      return res.status(400).send('allowedOrigins must be an array')
+    }
 
     const madeUpdates = Database.serverSettings.update(settingsUpdate)
     if (madeUpdates) {