fix: forbid creation of objects or fields with certain characters or with forbidden keywords that clashes with pg_graphql (#3957)

* fix: forbid creation of objects or fields with certain characters or with forbidden keywords that clashes with pg_graphql * refactor: add a decorator for name validation and use it on fields
2024-12-26 05:24:04 +03:00 · 2024-02-24 12:32:01 +01:00 · 2024-02-24 12:32:01 +01:00 · 0fe838d320
commit 0fe838d320
parent b1eb0577bc
4 changed files with 32 additions and 0 deletions
--- a/packages/twenty-server/src/metadata/decorators/is-valid-name.decorator.ts
+++ b/packages/twenty-server/src/metadata/decorators/is-valid-name.decorator.ts
@ -0,0 +1,24 @@
+import {
+  registerDecorator,
+  ValidationOptions,
+  ValidationArguments,
+} from 'class-validator';
+
+export function IsValidName(validationOptions?: ValidationOptions) {
+  return function (object: object, propertyName: string) {
+    registerDecorator({
+      name: 'IsValidName',
+      target: object.constructor,
+      propertyName: propertyName,
+      options: validationOptions,
+      validator: {
+        validate(value: any) {
+          return /^(?!(?:not|or|and)$)[^'\"\\;.=*/]+$/.test(value);
+        },
+        defaultMessage(args: ValidationArguments) {
+          return `${args.property} has failed the name validation check`;
+        },
+      },
+    });
+  };
+}
--- a/packages/twenty-server/src/metadata/field-metadata/dtos/field-metadata.dto.ts
+++ b/packages/twenty-server/src/metadata/field-metadata/dtos/field-metadata.dto.ts
@ -34,6 +34,7 @@ import { FieldMetadataType } from 'src/metadata/field-metadata/field-metadata.en
 import { BeforeDeleteOneField } from 'src/metadata/field-metadata/hooks/before-delete-one-field.hook';
 import { IsFieldMetadataDefaultValue } from 'src/metadata/field-metadata/validators/is-field-metadata-default-value.validator';
 import { IsFieldMetadataOptions } from 'src/metadata/field-metadata/validators/is-field-metadata-options.validator';
+import { IsValidName } from 'src/metadata/decorators/is-valid-name.decorator';

 registerEnumType(FieldMetadataType, {
  name: 'FieldMetadataType',
@ -74,6 +75,7 @@ export class FieldMetadataDTO<
  @IsString()
  @IsNotEmpty()
  @Field()
+  @IsValidName()
  name: string;

  @IsString()
--- a/packages/twenty-server/src/metadata/object-metadata/dtos/create-object.input.ts
+++ b/packages/twenty-server/src/metadata/object-metadata/dtos/create-object.input.ts
@ -3,6 +3,7 @@ import { Field, HideField, InputType } from '@nestjs/graphql';
 import { BeforeCreateOne } from '@ptc-org/nestjs-query-graphql';
 import { IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';

+import { IsValidName } from 'src/metadata/decorators/is-valid-name.decorator';
 import { BeforeCreateOneObject } from 'src/metadata/object-metadata/hooks/before-create-one-object.hook';

@InputType()
@ -11,11 +12,13 @@ export class CreateObjectInput {
  @IsString()
  @IsNotEmpty()
  @Field()
+  @IsValidName()
  nameSingular: string;

  @IsString()
  @IsNotEmpty()
  @Field()
+  @IsValidName()
  namePlural: string;

  @IsString()
--- a/packages/twenty-server/src/metadata/object-metadata/dtos/update-object.input.ts
+++ b/packages/twenty-server/src/metadata/object-metadata/dtos/update-object.input.ts
@ -3,6 +3,7 @@ import { Field, InputType } from '@nestjs/graphql';
 import { BeforeUpdateOne } from '@ptc-org/nestjs-query-graphql';
 import { IsBoolean, IsOptional, IsString, IsUUID } from 'class-validator';

+import { IsValidName } from 'src/metadata/decorators/is-valid-name.decorator';
 import { BeforeUpdateOneObject } from 'src/metadata/object-metadata/hooks/before-update-one-object.hook';

@InputType()
@ -21,11 +22,13 @@ export class UpdateObjectInput {
  @IsString()
  @IsOptional()
  @Field({ nullable: true })
+  @IsValidName()
  nameSingular?: string;

  @IsString()
  @IsOptional()
  @Field({ nullable: true })
+  @IsValidName()
  namePlural?: string;

  @IsString()