feat: add run_id format validation in DELETE training/runs endpoint

Validate that run_id matches /^[a-zA-Z0-9_-]+$ regex before interpolating into the API URL. Returns HTTP 400 with 'Invalid run_id format' error if validation fails. This prevents potential URL injection attacks and invalid identifier usage.
2026-02-18 10:58:54 +01:00 · 2026-02-18 10:58:54 +01:00 · 870f92d208
commit 870f92d208
parent 4e5ce321b9
2 changed files with 11 additions and 1 deletions
--- a/src/app/api/training/runs/[run_id]/route.ts
+++ b/src/app/api/training/runs/[run_id]/route.ts
@ -8,6 +8,16 @@ export async function DELETE(
  { params }: { params: Promise<{ run_id: string }> }
 ) {
  const { run_id } = await params;
+
+  // Validate run_id format before using in interpolation
+  const RUN_ID_REGEX = /^[a-zA-Z0-9_-]+$/;
+  if (!RUN_ID_REGEX.test(run_id)) {
+    return NextResponse.json(
+      { error: 'Invalid run_id format' },
+      { status: 400 }
+    );
+  }
+
  const controller = new AbortController();
  const timeoutId = setTimeout(() => controller.abort(), INFERENCE_API_TIMEOUT);