GitHub Security Alert: Profile Import Feature Missing Prototype Pollution Guard

A security vulnerability in the profile import function of an application's source code exposes the system to prototype pollution attacks. The `importProfile()` function in `src/store/profile-store.ts` (lines 150–194) parses user-supplied JSON without checking for dangerous keys like `__proto__`, `constructor`, or `prototype`. This oversight creates a medium-severity security hole where maliciously crafted data can corrupt the fundamental `Object.prototype`.

While `JSON.parse()` itself is safe, the parsed object is not sanitized. If this object is later processed using common JavaScript operations like the spread operator (`{...obj}`), `Object.assign()`, or a `for...in` loop, the dangerous properties can be injected into the object prototype. An attacker could submit a payload embedding a `__proto__` key with a value like `{ "isAdmin": true }`, potentially altering the behavior of all objects in the application and leading to privilege escalation or other unpredictable failures.

The immediate impact is a direct risk of prototype pollution, which can cause denial-of-service, bypass security checks, or lead to remote code execution in downstream dependencies. This flaw highlights a critical gap in the data validation layer, where structural checks for required fields like `semesters` and `settings` are performed, but the sanitization for prototype-polluting keys is completely absent. The vulnerability remains active until the import logic is patched to explicitly reject or strip these dangerous properties before any further processing.