fix(google-ads): add input validation for GAQL query parameters

Author: waleedlatif1

apps/sim/tools/google_ads/ad_performance.ts

@@ -2,6 +2,7 @@ import type {
   GoogleAdsAdPerformanceParams,
   GoogleAdsAdPerformanceResponse,
 } from '@/tools/google_ads/types'
+import { validateDate, validateDateRange, validateNumericId } from '@/tools/google_ads/types'
 import type { ToolConfig } from '@/tools/types'
 
 export const googleAdsAdPerformanceTool: ToolConfig<
@@ -83,8 +84,10 @@ export const googleAdsAdPerformanceTool: ToolConfig<
   },
 
   request: {
-    url: (params) =>
-      `https://googleads.googleapis.com/v19/customers/${params.customerId}/googleAds:search`,
+    url: (params) => {
+      const customerId = validateNumericId(params.customerId, 'customerId')
+      return `https://googleads.googleapis.com/v19/customers/${customerId}/googleAds:search`
+    },
     method: 'POST',
     headers: (params) => {
       const headers: Record<string, string> = {
@@ -104,17 +107,19 @@ export const googleAdsAdPerformanceTool: ToolConfig<
       const conditions: string[] = ["ad_group_ad.status != 'REMOVED'"]
 
       if (params.campaignId) {
-        conditions.push(`campaign.id = ${params.campaignId}`)
+        conditions.push(`campaign.id = ${validateNumericId(params.campaignId, 'campaignId')}`)
       }
 
       if (params.adGroupId) {
-        conditions.push(`ad_group.id = ${params.adGroupId}`)
+        conditions.push(`ad_group.id = ${validateNumericId(params.adGroupId, 'adGroupId')}`)
       }
 
       if (params.startDate && params.endDate) {
-        conditions.push(`segments.date BETWEEN '${params.startDate}' AND '${params.endDate}'`)
+        const start = validateDate(params.startDate, 'startDate')
+        const end = validateDate(params.endDate, 'endDate')
+        conditions.push(`segments.date BETWEEN '${start}' AND '${end}'`)
       } else {
-        const dateRange = params.dateRange || 'LAST_30_DAYS'
+        const dateRange = validateDateRange(params.dateRange || 'LAST_30_DAYS')
         conditions.push(`segments.date DURING ${dateRange}`)
       }
 

apps/sim/tools/google_ads/campaign_performance.ts

@@ -2,6 +2,7 @@ import type {
   GoogleAdsCampaignPerformanceParams,
   GoogleAdsCampaignPerformanceResponse,
 } from '@/tools/google_ads/types'
+import { validateDate, validateDateRange, validateNumericId } from '@/tools/google_ads/types'
 import type { ToolConfig } from '@/tools/types'
 
 export const googleAdsCampaignPerformanceTool: ToolConfig<
@@ -71,8 +72,10 @@ export const googleAdsCampaignPerformanceTool: ToolConfig<
   },
 
   request: {
-    url: (params) =>
-      `https://googleads.googleapis.com/v19/customers/${params.customerId}/googleAds:search`,
+    url: (params) => {
+      const customerId = validateNumericId(params.customerId, 'customerId')
+      return `https://googleads.googleapis.com/v19/customers/${customerId}/googleAds:search`
+    },
     method: 'POST',
     headers: (params) => {
       const headers: Record<string, string> = {
@@ -92,13 +95,15 @@ export const googleAdsCampaignPerformanceTool: ToolConfig<
       const conditions: string[] = ["campaign.status != 'REMOVED'"]
 
       if (params.campaignId) {
-        conditions.push(`campaign.id = ${params.campaignId}`)
+        conditions.push(`campaign.id = ${validateNumericId(params.campaignId, 'campaignId')}`)
       }
 
       if (params.startDate && params.endDate) {
-        conditions.push(`segments.date BETWEEN '${params.startDate}' AND '${params.endDate}'`)
+        const start = validateDate(params.startDate, 'startDate')
+        const end = validateDate(params.endDate, 'endDate')
+        conditions.push(`segments.date BETWEEN '${start}' AND '${end}'`)
       } else {
-        const dateRange = params.dateRange || 'LAST_30_DAYS'
+        const dateRange = validateDateRange(params.dateRange || 'LAST_30_DAYS')
         conditions.push(`segments.date DURING ${dateRange}`)
       }
 

apps/sim/tools/google_ads/list_ad_groups.ts

@@ -2,6 +2,7 @@ import type {
   GoogleAdsListAdGroupsParams,
   GoogleAdsListAdGroupsResponse,
 } from '@/tools/google_ads/types'
+import { validateNumericId, validateStatus } from '@/tools/google_ads/types'
 import type { ToolConfig } from '@/tools/types'
 
 export const googleAdsListAdGroupsTool: ToolConfig<
@@ -64,8 +65,10 @@ export const googleAdsListAdGroupsTool: ToolConfig<
   },
 
   request: {
-    url: (params) =>
-      `https://googleads.googleapis.com/v19/customers/${params.customerId}/googleAds:search`,
+    url: (params) => {
+      const customerId = validateNumericId(params.customerId, 'customerId')
+      return `https://googleads.googleapis.com/v19/customers/${customerId}/googleAds:search`
+    },
     method: 'POST',
     headers: (params) => {
       const headers: Record<string, string> = {
@@ -82,10 +85,11 @@ export const googleAdsListAdGroupsTool: ToolConfig<
       let query =
         'SELECT ad_group.id, ad_group.name, ad_group.status, ad_group.type, campaign.id, campaign.name FROM ad_group'
 
-      const conditions: string[] = [`campaign.id = ${params.campaignId}`]
+      const campaignId = validateNumericId(params.campaignId, 'campaignId')
+      const conditions: string[] = [`campaign.id = ${campaignId}`]
 
       if (params.status) {
-        conditions.push(`ad_group.status = '${params.status}'`)
+        conditions.push(`ad_group.status = '${validateStatus(params.status)}'`)
       } else {
         conditions.push("ad_group.status != 'REMOVED'")
       }

apps/sim/tools/google_ads/list_campaigns.ts

@@ -2,6 +2,7 @@ import type {
   GoogleAdsListCampaignsParams,
   GoogleAdsListCampaignsResponse,
 } from '@/tools/google_ads/types'
+import { validateNumericId, validateStatus } from '@/tools/google_ads/types'
 import type { ToolConfig } from '@/tools/types'
 
 export const googleAdsListCampaignsTool: ToolConfig<
@@ -58,8 +59,10 @@ export const googleAdsListCampaignsTool: ToolConfig<
   },
 
   request: {
-    url: (params) =>
-      `https://googleads.googleapis.com/v19/customers/${params.customerId}/googleAds:search`,
+    url: (params) => {
+      const customerId = validateNumericId(params.customerId, 'customerId')
+      return `https://googleads.googleapis.com/v19/customers/${customerId}/googleAds:search`
+    },
     method: 'POST',
     headers: (params) => {
       const headers: Record<string, string> = {
@@ -78,7 +81,7 @@ export const googleAdsListCampaignsTool: ToolConfig<
 
       const conditions: string[] = []
       if (params.status) {
-        conditions.push(`campaign.status = '${params.status}'`)
+        conditions.push(`campaign.status = '${validateStatus(params.status)}'`)
       } else {
         conditions.push("campaign.status != 'REMOVED'")
       }

apps/sim/tools/google_ads/search.ts

@@ -1,4 +1,5 @@
 import type { GoogleAdsSearchParams, GoogleAdsSearchResponse } from '@/tools/google_ads/types'
+import { validateNumericId } from '@/tools/google_ads/types'
 import type { ToolConfig } from '@/tools/types'
 
 export const googleAdsSearchTool: ToolConfig<GoogleAdsSearchParams, GoogleAdsSearchResponse> = {
@@ -58,8 +59,10 @@ export const googleAdsSearchTool: ToolConfig<GoogleAdsSearchParams, GoogleAdsSea
   },
 
   request: {
-    url: (params) =>
-      `https://googleads.googleapis.com/v19/customers/${params.customerId}/googleAds:search`,
+    url: (params) => {
+      const customerId = validateNumericId(params.customerId, 'customerId')
+      return `https://googleads.googleapis.com/v19/customers/${customerId}/googleAds:search`
+    },
     method: 'POST',
     headers: (params) => {
       const headers: Record<string, string> = {

apps/sim/tools/google_ads/types.ts

@@ -1,5 +1,52 @@
 import type { ToolResponse } from '@/tools/types'
 
+const NUMERIC_ID_REGEX = /^\d+$/
+const DATE_REGEX = /^\d{4}-\d{2}-\d{2}$/
+const VALID_STATUSES = new Set(['ENABLED', 'PAUSED', 'REMOVED'])
+const VALID_DATE_RANGES = new Set([
+  'LAST_7_DAYS',
+  'LAST_30_DAYS',
+  'THIS_MONTH',
+  'LAST_MONTH',
+  'TODAY',
+  'YESTERDAY',
+])
+
+/** Validates that a value is a numeric ID (digits only). */
+export function validateNumericId(value: string, fieldName: string): string {
+  const cleaned = value.replace(/-/g, '')
+  if (!NUMERIC_ID_REGEX.test(cleaned)) {
+    throw new Error(`${fieldName} must be numeric (digits only), got: ${value}`)
+  }
+  return cleaned
+}
+
+/** Validates that a status value is a known Google Ads status. */
+export function validateStatus(value: string): string {
+  if (!VALID_STATUSES.has(value)) {
+    throw new Error(`Invalid status: ${value}. Must be one of: ${[...VALID_STATUSES].join(', ')}`)
+  }
+  return value
+}
+
+/** Validates a date string is in YYYY-MM-DD format. */
+export function validateDate(value: string, fieldName: string): string {
+  if (!DATE_REGEX.test(value)) {
+    throw new Error(`${fieldName} must be in YYYY-MM-DD format, got: ${value}`)
+  }
+  return value
+}
+
+/** Validates a date range is a known Google Ads predefined range. */
+export function validateDateRange(value: string): string {
+  if (!VALID_DATE_RANGES.has(value)) {
+    throw new Error(
+      `Invalid date range: ${value}. Must be one of: ${[...VALID_DATE_RANGES].join(', ')}`
+    )
+  }
+  return value
+}
+
 export interface GoogleAdsBaseParams {
   accessToken: string
   customerId: string