From 82e5de22619ca7a933fc81242f0205de0f646453 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 2 Nov 2025 22:06:14 +0000
Subject: [PATCH] Add input validation for prefix to address security concerns

Co-authored-by: eliandoran <21236836+eliandoran@users.noreply.github.com>
---
 apps/server/src/routes/api/branches.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/server/src/routes/api/branches.ts b/apps/server/src/routes/api/branches.ts
index 977fd34a7..73ce03a7a 100644
--- a/apps/server/src/routes/api/branches.ts
+++ b/apps/server/src/routes/api/branches.ts
@@ -277,6 +277,11 @@ function setPrefixBatch(req: Request) {
         throw new ValidationError("branchIds must be an array");
     }
 
+    // Validate that prefix is a string or null/undefined to prevent prototype pollution
+    if (prefix !== null && prefix !== undefined && typeof prefix !== 'string') {
+        throw new ValidationError("prefix must be a string or null");
+    }
+
     const normalizedPrefix = utils.isEmptyOrWhitespace(prefix) ? null : prefix;
     let updatedCount = 0;