#4618: security(tts): validate JSON structure when reading TTS user prefs
Cluster:
Security Enhancements for TTS
## Summary
- Add runtime validation to `readPrefs()` in `src/tts/tts.ts` before trusting parsed JSON as `TtsUserPrefs`
- Previously `JSON.parse()` result was cast directly with `as TtsUserPrefs` without verifying the shape
- New `safeParseTtsPrefs()` validates the parsed value is a plain object and the `tts` field (if present) is also an object
- Malformed or tampered files now safely fall back to `{}` instead of propagating unexpected data
## Changed files
| File | Change |
|------|--------|
| `src/tts/tts.ts` | Add `safeParseTtsPrefs()` with runtime shape check; use it in `readPrefs()` |
## Test plan
- [x] `pnpm vitest run src/tts` -- 33/33 tests pass
- [x] `pnpm lint` -- 0 warnings, 0 errors
- [x] `pnpm format` -- all files formatted correctly
lobster-biscuit
Most Similar PRs
#22086: fix(tts): honor explicit config provider and model/voice settings
by AIflow-Labs · 2026-02-20
64.4%
#8339: fix(tts): validate ElevenLabs base URL against allowlist
by yubrew · 2026-02-03
61.8%
#16089: fix(tts): clarify directive syntax in prompts and strip malformed tags
by kmixter · 2026-02-14
60.7%
#23291: fix(tts): respect config auto=off over user prefs override
by SidQin-cyber · 2026-02-22
60.1%
#8103: fix(tts): sanitize API keys from error messages
by yubrew · 2026-02-03
60.0%
#23071: fix(tts): make config auto=off a hard-disable that overrides user p...
by hydro13 · 2026-02-22
59.3%
#21110: fix(tts): deliver audio via structured mediaUrl instead of MEDIA: t...
by hydro13 · 2026-02-19
58.6%
#8317: fix(tts): add dynamic timeout and retry logic for ElevenLabs TTS
by camtang26 · 2026-02-03
58.3%
#11704: feat(tts): OpenAI TTS baseUrl support for local servers (Chatterbox...
by mateusz-michalik · 2026-02-08
57.9%
#20496: test(utils): add comprehensive unit tests for utility functions
by masifislamm · 2026-02-19
57.5%