twenty icon indicating copy to clipboard operation
twenty copied to clipboard

Published 20 hours ago verified publisher icon twentyhq

Silent error on metadata object create if name contains forbidden characters

Open lucasbordeau opened this issue 1 year ago • 6 comments

Bug Description

When we create a metadata object with createOneObject on /metadata, if we pass a nameSingular or namePlural with : . for example, it will crash or produce a name different than the user input (for example with just the right part of the string split with .)

Expected behavior

We want to receive an error on the frontend if the user sends forbidden characters in nameSingular or namePlural, we should also prevent the user from sending forbidden characters by using a regex in the text input and a message that explains why we cannot input forbidden characters.

lucasbordeau avatar Oct 20 '23 09:10 lucasbordeau

@magrinj input: use classValidator on entities

charlesBochet avatar Oct 23 '23 13:10 charlesBochet

I was thinking we should do something like ^[A-Za-z0-9 ]*$ but not cool for people using non-latin characters, could be better to use a blacklist instead of a whitelist.

I propose the following regex: ^[^'\"\\;./*=*/]+$

Possible steps to resolve:

  • Frontend: modify frontend inputs on SettingsObjectFormSection to something like <input type="text" pattern="^[^'\"\\;./*=*/]+$" />
  • Backend: use https://www.npmjs.com/package/class-validator -> @Matches() on object metadata dtos (see field meta data dtos)

FelixMalfait avatar Dec 31 '23 12:12 FelixMalfait

Is this up for grabs?

a-kud avatar Jan 02 '24 02:01 a-kud

Sure @a-kud thanks a lot!

FelixMalfait avatar Jan 02 '24 06:01 FelixMalfait

I have a high workload right now, feel free to work on this one.

a-kud avatar Jan 07 '24 00:01 a-kud

No prob, thanks @a-kud

FelixMalfait avatar Jan 07 '24 08:01 FelixMalfait