From 442f50303a1164522b5f1a8550ec78ebfd260636 Mon Sep 17 00:00:00 2001
From: Craig Quiter <cquiter@gmail.com>
Date: Fri, 16 Aug 2024 15:10:53 -0700
Subject: [PATCH] Sanitize voice_id

---
 backend/apps/audio/main.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/backend/apps/audio/main.py b/backend/apps/audio/main.py
index 32377b79c2..21ad2886a3 100644
--- a/backend/apps/audio/main.py
+++ b/backend/apps/audio/main.py
@@ -254,6 +254,13 @@ async def speech(request: Request, user=Depends(get_verified_user)):
             raise HTTPException(status_code=400, detail="Invalid JSON payload")
 
         voice_id = payload.get("voice", "")
+
+        if voice_id not in get_available_voices():
+            raise HTTPException(
+                status_code=400,
+                detail="Invalid voice id",
+            )
+
         url = f"https://api.elevenlabs.io/v1/text-to-speech/{voice_id}"
 
         headers = {