Skip to content

error #105

New issue
New issue
Closed
#109
Closed
error#105
#109
Assignees
copilot-swe-agentjaseel0
Labels
area: ai-logicRelated to Gemini prompts, tokens, or model responses.area: backendRelated to Next.js API routes or Octokit/GitHub API.area: frontendChanges specifically for the UI/Tailwind components.bugSomething isn't workingdocumentationImprovements or additions to documentationjavascriptTasks involving vanilla JS logic or legacy scripts.typescriptType definition fixes, interfaces, or TS configuration.
@naheel0

Description

@naheel0
naheel0
opened on Mar 24, 2026

⚠️ Potential issue | 🟠 Major

Validate and allowlist language on the API before using it in the prompt.

Line 17 accepts arbitrary body.language, and Line 101 injects it directly into the model prompt. This can be bypassed via direct API calls (ignoring UI dropdown restrictions) and used to manipulate prompt behavior.

🔧 Proposed fix 
+const SUPPORTED_LANGUAGES = new Set([
+  "English",
+  "Spanish",
+  "French",
+  "German",
+  "Chinese",
+  "Japanese",
+  "Korean",
+  "Portuguese",
+  "Russian",
+  "Arabic",
+  "Turkish",
+]);

 export async function POST(req: Request) {
   let rawUrl: string;
   let language: string;
   try {
     const body = await req.json();
-    rawUrl = body.url;
-    language = body.language || "English";
+    if (typeof body?.url !== "string") {
+      return NextResponse.json({ error: "GitHub URL is required" }, { status: 400 });
+    }
+
+    const requestedLanguage =
+      typeof body?.language === "string" ? body.language.trim() : "English";
+
+    if (!SUPPORTED_LANGUAGES.has(requestedLanguage)) {
+      return NextResponse.json({ error: "Unsupported language" }, { status: 400 });
+    }
+
+    rawUrl = body.url;
+    language = requestedLanguage;
   } catch {
     return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
   }

Also applies to: 99-102

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/app/api/generate/route.ts` around lines 13 - 17, The code reads
body.language into the local variable language and later interpolates it into
the model prompt; to prevent prompt manipulation validate and allowlist this
value immediately after parsing req.json(): accept only known languages (e.g.,
["English","Spanish",...]) by normalizing case/whitespace and mapping aliases,
otherwise set language = "English" or return a 400 error; update the assignment
site where language is set from body.language and ensure the same validated
language variable is the one used when building the prompt (replace any direct
use of body.language with the validated language).

Originally posted by @coderabbitai[bot] in #92

Metadata

Metadata

Assignees

Labels

area: ai-logicRelated to Gemini prompts, tokens, or model responses.area: backendRelated to Next.js API routes or Octokit/GitHub API.area: frontendChanges specifically for the UI/Tailwind components.bugSomething isn't workingdocumentationImprovements or additions to documentationjavascriptTasks involving vanilla JS logic or legacy scripts.typescriptType definition fixes, interfaces, or TS configuration.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions