From eb3e91b8e97329b40fa1e61c6e25160d57eed34d Mon Sep 17 00:00:00 2001
From: Vasanth Anbukumar <182255621+vas2000-emu@users.noreply.github.com>
Date: Mon, 3 Nov 2025 11:47:17 -0500
Subject: [PATCH] Potential fix for code scanning alert no. 54: Server-side
 request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 apps/web/app/api/import-playlist/route.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/web/app/api/import-playlist/route.js b/apps/web/app/api/import-playlist/route.js
index 86b5d4d..b1eb8aa 100644
--- a/apps/web/app/api/import-playlist/route.js
+++ b/apps/web/app/api/import-playlist/route.js
@@ -240,7 +240,8 @@ async function importYouTubePlaylist(supabase, playlistUrl, userId) {
 async function importSpotifyPlaylist(supabase, playlistUrl, userId) {
   // Extract playlist ID from URL
   const playlistId = extractSpotifyPlaylistId(playlistUrl);
-  if (!playlistId) {
+  // Validate that playlistId is exactly 22 alphanumeric characters (Spotify format)
+  if (!playlistId || !/^[a-zA-Z0-9]{22}$/.test(playlistId)) {
     throw new Error('Invalid Spotify playlist URL');
   }