Product route: PUT replaces entire object with unsanitized input

## Severity: High
## Category: Security

### Description
In `api/src/routes/product.ts` (line 115), `products[index] = req.body` allows a client to inject arbitrary properties (prototype pollution risk) and also loses the original `productId` if the client omits it.

```typescript
// Current — wholesale replacement
products[index] = req.body;
```

### Suggested Fix
Merge explicitly and preserve the ID:

```typescript
products[index] = { ...req.body, productId: products[index].productId };
```

Or better yet, whitelist allowed fields:

```typescript
const { name, description, price, supplierId, stockLevel, imgName } = req.body;
products[index] = { ...products[index], name, description, price, supplierId, stockLevel, imgName };
```

### Affected File
- `api/src/routes/product.ts` (line 115)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Product route: PUT replaces entire object with unsanitized input #15

Severity: High

Category: Security

Description

Suggested Fix

Affected File

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Product route: PUT replaces entire object with unsanitized input #15

Description

Severity: High

Category: Security

Description

Suggested Fix

Affected File

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions