|
1 | 1 | import { createLogger } from '@sim/logger' |
2 | 2 | import { type NextRequest, NextResponse } from 'next/server' |
3 | 3 | import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid' |
4 | | -import { validateAlphanumericId, validateJiraCloudId } from '@/lib/core/security/input-validation' |
| 4 | +import { |
| 5 | + validateAlphanumericId, |
| 6 | + validateJiraCloudId, |
| 7 | + validatePaginationCursor, |
| 8 | + validatePathSegment, |
| 9 | +} from '@/lib/core/security/input-validation' |
5 | 10 | import { getConfluenceCloudId } from '@/tools/confluence/utils' |
6 | 11 |
|
7 | 12 | const logger = createLogger('ConfluenceTasksAPI') |
@@ -180,11 +185,40 @@ export async function POST(request: NextRequest) { |
180 | 185 | const queryParams = new URLSearchParams() |
181 | 186 | queryParams.append('limit', String(Math.min(limit, 250))) |
182 | 187 |
|
183 | | - if (cursor) queryParams.append('cursor', cursor) |
| 188 | + if (cursor) { |
| 189 | + const cursorValidation = validatePaginationCursor(cursor, 'cursor') |
| 190 | + if (!cursorValidation.isValid) { |
| 191 | + return NextResponse.json({ error: cursorValidation.error }, { status: 400 }) |
| 192 | + } |
| 193 | + queryParams.append('cursor', cursor) |
| 194 | + } |
184 | 195 | if (taskStatus) queryParams.append('status', taskStatus) |
185 | | - if (pageId) queryParams.append('page-id', pageId) |
186 | | - if (spaceId) queryParams.append('space-id', spaceId) |
187 | | - if (assignedTo) queryParams.append('assigned-to', assignedTo) |
| 196 | + if (pageId) { |
| 197 | + const pageIdValidation = validateAlphanumericId(pageId, 'pageId', 255) |
| 198 | + if (!pageIdValidation.isValid) { |
| 199 | + return NextResponse.json({ error: pageIdValidation.error }, { status: 400 }) |
| 200 | + } |
| 201 | + queryParams.append('page-id', pageId) |
| 202 | + } |
| 203 | + if (spaceId) { |
| 204 | + const spaceIdValidation = validateAlphanumericId(spaceId, 'spaceId', 255) |
| 205 | + if (!spaceIdValidation.isValid) { |
| 206 | + return NextResponse.json({ error: spaceIdValidation.error }, { status: 400 }) |
| 207 | + } |
| 208 | + queryParams.append('space-id', spaceId) |
| 209 | + } |
| 210 | + if (assignedTo) { |
| 211 | + // Atlassian account IDs: 5d5bd05c3aee0123abc or 557058:6b9c9931-4693-49c1-8b3a-931f1af98134 |
| 212 | + const assignedToValidation = validatePathSegment(assignedTo, { |
| 213 | + paramName: 'assignedTo', |
| 214 | + maxLength: 128, |
| 215 | + customPattern: /^[a-zA-Z0-9_|:-]+$/, |
| 216 | + }) |
| 217 | + if (!assignedToValidation.isValid) { |
| 218 | + return NextResponse.json({ error: assignedToValidation.error }, { status: 400 }) |
| 219 | + } |
| 220 | + queryParams.append('assigned-to', assignedTo) |
| 221 | + } |
188 | 222 |
|
189 | 223 | const url = `https://api.atlassian.com/ex/confluence/${cloudId}/wiki/api/v2/tasks?${queryParams.toString()}` |
190 | 224 |
|
|
0 commit comments