fix(webapp): harden error status filter validation

Use hasOwnProperty instead of `in` when validating filter[status] so
inherited Object properties (e.g. toString) can't pass validation and map
to a non-status value.

Author: ericallam

apps/webapp/app/presenters/v3/ApiErrorListPresenter.server.ts

@@ -45,7 +45,11 @@ export const ApiErrorListSearchParams = z.object({
       }
 
       const statuses = value.split(",");
-      const invalid = statuses.filter((status) => !(status in API_STATUS_TO_DB));
+      // hasOwnProperty, not `in`: `in` walks the prototype chain, so
+      // `filter[status]=toString` would pass and map to a function.
+      const invalid = statuses.filter(
+        (status) => !Object.prototype.hasOwnProperty.call(API_STATUS_TO_DB, status)
+      );
 
       if (invalid.length > 0) {
         ctx.addIssue({