validate invalid key in qiita importer

apps/app/src/server/routes/admin.js

@@ -126,6 +126,16 @@ module.exports = function(crowi, app) {
       return res.json(ApiResponse.error('Qiita form is blank'));
     }
 
+    const ALLOWED_KEYS = ['importer:qiita:team_name', 'importer:qiita:access_token'];
+    const receivedKeys = Object.keys(form);
+
+    const unexpectedKeys = receivedKeys.filter(key => !ALLOWED_KEYS.includes(key));
+
+    if (unexpectedKeys.length > 0) {
+      logger.warn('Qiita config update contained unexpected keys.', { unexpectedKeys });
+      return res.json(ApiResponse.error('Invalid config keys provided.'));
+    }
+
     await configManager.updateConfigs(form);
     importer.initializeQiitaClient(); // let it run in the back aftert res
     const parameters = { action: SupportedAction.ACTION_ADMIN_QIITA_DATA_UPDATED };