fix: Reject non-string locale values in getLocale

mtrezza · mtrezza · commit a4cb56c3c3f2 · 2026-03-18T21:07:53.000Z
Add guard to reject non-string locale values (e.g. arrays from
query string parsing) before the regex validation check.
diff --git a/src/Routers/PagesRouter.js b/src/Routers/PagesRouter.js
@@ -549,6 +549,9 @@ export class PagesRouter extends PromiseRouter {
 
     // Validate locale format to prevent path traversal; only allow
     // standard locale patterns like "en", "en-US", "de-AT", "zh-Hans-CN"
+    if (locale !== undefined && typeof locale !== 'string') {
+      return undefined;
+    }
     if (typeof locale === 'string' && !/^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})*$/.test(locale)) {
       return undefined;
     }

Original file line number	Diff line number	Diff line change
`@@ -549,6 +549,9 @@ export class PagesRouter extends PromiseRouter {`
`549`	`549`
`550`	`550`	`// Validate locale format to prevent path traversal; only allow`
`551`	`551`	`// standard locale patterns like "en", "en-US", "de-AT", "zh-Hans-CN"`
	`552`	`+ if (locale !== undefined && typeof locale !== 'string') {`
	`553`	`+ return undefined;`
	`554`	`+ }`
`552`	`555`	`if (typeof locale === 'string' && !/^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})*$/.test(locale)) {`
`553`	`556`	`return undefined;`
`554`	`557`	`}`