fix(jsm): validate formIds is an array in copy_forms route and block

waleedlatif1 · waleedlatif1 · commit 37152fd34978 · 2026-04-13T18:36:57.000-07:00
diff --git a/apps/sim/app/api/tools/jsm/forms/copy/route.ts b/apps/sim/app/api/tools/jsm/forms/copy/route.ts
@@ -66,6 +66,10 @@ export async function POST(request: NextRequest) {
     const baseUrl = getJsmFormsApiBaseUrl(cloudId)
     const url = `${baseUrl}/issue/${encodeURIComponent(sourceIssueIdOrKey)}/form/copy/${encodeURIComponent(targetIssueIdOrKey)}`
 
+    if (formIds !== undefined && !Array.isArray(formIds)) {
+      return NextResponse.json({ error: 'formIds must be an array of form UUIDs' }, { status: 400 })
+    }
+
     const requestBody = Array.isArray(formIds) && formIds.length > 0 ? { ids: formIds } : {}
 
     logger.info('Copying forms:', { url, sourceIssueIdOrKey, targetIssueIdOrKey, formIds })
diff --git a/apps/sim/blocks/blocks/jira_service_management.ts b/apps/sim/blocks/blocks/jira_service_management.ts
@@ -1092,9 +1092,15 @@ Return ONLY the comment text - no explanations.`,
               formIds: params.formIds
                 ? (() => {
                     try {
-                      return JSON.parse(params.formIds)
-                    } catch {
-                      throw new Error('formIds must be valid JSON array')
+                      const parsed = JSON.parse(params.formIds)
+                      if (!Array.isArray(parsed)) {
+                        throw new Error('formIds must be a JSON array')
+                      }
+                      return parsed
+                    } catch (e) {
+                      throw e instanceof Error && e.message === 'formIds must be a JSON array'
+                        ? e
+                        : new Error('formIds must be valid JSON array')
                     }
                   })()
                 : undefined,
