From 605c85ca9707cb8a95469d072e9eada97b62fd17 Mon Sep 17 00:00:00 2001
From: Bob Farrell <git@bob.frl>
Date: Wed, 3 Apr 2024 18:49:32 +0100
Subject: [PATCH] Fix UAF in static routes

Dupe resource ID before freeing Data memory.
---
 src/jetzig/http/StaticRequest.zig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/jetzig/http/StaticRequest.zig b/src/jetzig/http/StaticRequest.zig
index 261d73c..e47db1c 100644
--- a/src/jetzig/http/StaticRequest.zig
+++ b/src/jetzig/http/StaticRequest.zig
@@ -32,7 +32,7 @@ pub fn resourceId(self: *Self) ![]const u8 {
     // Routes generator rejects missing `.id` option so this should always be present.
     // Note that static requests are never rendered at runtime so we can be unsafe here and risk
     // failing a build (which would not be coherent if we allowed it to complete).
-    return data.value.?.get("id").?.string.value;
+    return try self.allocator.dupe(u8, data.value.?.get("id").?.string.value);
 }
 
 /// Returns the static params defined by `pub const static_params` in the relevant view.