Potential fix for code scanning alert no. 1: Prototype-polluting assignment

[chrisreddington]

Potential fix for https://github.com/github-samples/turn-based-game-mcp/security/code-scanning/1

To fix the prototype pollution risk, we must ensure that move.row and move.col are strictly numbers and not special property names like "__proto__", "constructor", or "prototype". The best way to do this is to add explicit type and value checks in the validateMove method to ensure that both row and col are numbers (not strings or other types), are integers, and are within the valid range (0, 1, 2). This prevents any string keys from being used to index into the board array, thus eliminating the risk of prototype pollution. The changes should be made in the validateMove method in shared/src/games/tic-tac-toe.ts.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull Request Overview

This PR addresses a prototype pollution security vulnerability by strengthening input validation in the TicTacToe game's move validation logic. The fix ensures that move coordinates are strictly numeric integers within bounds, preventing malicious string keys from being used to manipulate object prototypes.

• Enhanced the validateMove method to include type checking for row and col parameters
• Added explicit checks for numeric types and integer values before bounds validation
• Replaces simple bounds checking with comprehensive input sanitization

Comments suppressed due to low confidence (1)

shared/src/games/tic-tac-toe.ts:1

• The fix correctly addresses prototype pollution by validating that row and col are numbers and integers. However, consider also checking for NaN values using Number.isNaN(row) || Number.isNaN(col) since NaN is of type 'number' but would fail integer checks and could cause unexpected behavior.

import { Game, Player, PlayerId, GameResult } from '../types/game';