From 206033a7314101bd5276e3546f0a6d9cf000adc5 Mon Sep 17 00:00:00 2001
From: "Philip H." <47042125+pheiduck@users.noreply.github.com>
Date: Sun, 3 Dec 2023 10:04:42 +0000
Subject: [PATCH] fixup: Prototype-polluting assignment (medium)

---
 src/lib/Server.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/lib/Server.js b/src/lib/Server.js
index 75e2a3e6..b7cd79c8 100644
--- a/src/lib/Server.js
+++ b/src/lib/Server.js
@@ -118,6 +118,9 @@ module.exports = class Server {
         const svg = await WireGuard.getClientQRCodeSVG({ clientId });
         res.header('Content-Type', 'image/svg+xml');
         res.send(svg);
+        if (clientId === '__proto__' || clientId === 'constructor' || clientId === 'prototype') {
+          res.end(403);
+        }
       }))
       .get('/api/wireguard/client/:clientId/configuration', Util.promisify(async (req, res) => {
         const { clientId } = req.params;
@@ -131,6 +134,9 @@ module.exports = class Server {
         res.header('Content-Disposition', `attachment; filename="${configName || clientId}.conf"`);
         res.header('Content-Type', 'text/plain');
         res.send(config);
+        if (clientId === '__proto__' || clientId === 'constructor' || clientId === 'prototype') {
+          res.end(403);
+        }
       }))
       .post('/api/wireguard/client', Util.promisify(async (req) => {
         const { name } = req.body;