fix: validate and allowlist language before prompt injection

[Copilot]

PR #92 removed the language allowlist check, replacing it with language = body.language || "English" — allowing arbitrary strings to be injected directly into the Gemini prompt via direct API calls, bypassing UI restrictions.

Changes

src/app/api/generate/route.ts

• Restores type-safe allowlist validation against SUPPORTED_LANGUAGES; falls back to "English" for any unrecognized value

const rawLanguage =
  typeof body.language === "string" ? body.language.trim() : "";
const normalized =
  rawLanguage.charAt(0).toUpperCase() + rawLanguage.slice(1).toLowerCase();
language = (SUPPORTED_LANGUAGES as readonly string[]).includes(normalized)
  ? normalized
  : "English";

src/components/Generator/SearchInput.tsx

• Removes the duplicate inline languages array introduced in PR feat: Multi-Language README Support #92; uses the SUPPORTED_LANGUAGES constant as the single source of truth
• Restores the aria-label on the language <select> that was dropped in PR feat: Multi-Language README Support #92

Original prompt

---

This section details on the original issue you should resolve

<issue_title>error</issue_title>
<issue_description>> ⚠️ Potential issue | 🟠 Major

Validate and allowlist language on the API before using it in the prompt.

Line 17 accepts arbitrary body.language, and Line 101 injects it directly into the model prompt. This can be bypassed via direct API calls (ignoring UI dropdown restrictions) and used to manipulate prompt behavior.

🔧 Proposed fix

+const SUPPORTED_LANGUAGES = new Set([
+  "English",
+  "Spanish",
+  "French",
+  "German",
+  "Chinese",
+  "Japanese",
+  "Korean",
+  "Portuguese",
+  "Russian",
+  "Arabic",
+  "Turkish",
+]);

 export async function POST(req: Request) {
   let rawUrl: string;
   let language: string;
   try {
     const body = await req.json();
-    rawUrl = body.url;
-    language = body.language || "English";
+    if (typeof body?.url !== "string") {
+      return NextResponse.json({ error: "GitHub URL is required" }, { status: 400 });
+    }
+
+    const requestedLanguage =
+      typeof body?.language === "string" ? body.language.trim() : "English";
+
+    if (!SUPPORTED_LANGUAGES.has(requestedLanguage)) {
+      return NextResponse.json({ error: "Unsupported language" }, { status: 400 });
+    }
+
+    rawUrl = body.url;
+    language = requestedLanguage;
   } catch {
     return NextResponse.json({ error: "Invalid JSON body" }, { status: 400 });
   }

Also applies to: 99-102

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/app/api/generate/route.ts` around lines 13 - 17, The code reads
body.language into the local variable language and later interpolates it into
the model prompt; to prevent prompt manipulation validate and allowlist this
value immediately after parsing req.json(): accept only known languages (e.g.,
["English","Spanish",...]) by normalizing case/whitespace and mapping aliases,
otherwise set language = "English" or return a 400 error; update the assignment
site where language is set from body.language and ensure the same validated
language variable is the one used when building the prompt (replace any direct
use of body.language with the validated language).

Originally posted by @coderabbitai[bot] in #92</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes error #105

---

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
readme-gen-ai	Ready	Preview, Comment	Mar 24, 2026 6:04pm