Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix validate workflowFn query parameter for API#1239

Closed
kochrac wants to merge 2 commits intovercel:mainfrom
kochrac:patch-1
Closed

fix validate workflowFn query parameter for API#1239
kochrac wants to merge 2 commits intovercel:mainfrom
kochrac:patch-1

Conversation

@kochrac
Copy link

@kochrac kochrac commented Mar 2, 2026

fix this class of problem, ensure all user-controlled values used as strings are first normalized: if they can be arrays or other types, explicitly check and reject or convert them before calling string methods or using them as keys. For Next.js query parameters, that means verifying the value is a string and not an array of strings (or any other type) before using it.

For this specific file, the best fix is to treat workflowFn similarly to the “GOOD” example in the background: check that the value is a string and not an array. Concretely:

  • Read req.query.workflowFn into a variable that can be string | string[] | undefined.
  • If the value is an array, reject the request with a 400 error explaining that only a single value is allowed.
  • If the value is not a string or is empty, fall back to the default 'simple' (or return an error, but the current logic already provides a default).
  • Only after confirming it is a string, assign it to workflowFn and use .includes('.'), .split('.'), and error messages.

All these changes occur in workbench/nextjs-webpack/pages/api/trigger-pages.ts, specifically around lines 34–38 where workflowFn is currently derived.

@kochrac
fix validate workflowFn query parameter for API
c564c4c 
fix this class of problem, ensure all user-controlled values used as strings are first normalized: if they can be arrays or other types, explicitly check and reject or convert them before calling string methods or using them as keys. For Next.js query parameters, that means verifying the value is a string and not an array of strings (or any other type) before using it.

For this specific file, the best fix is to treat `workflowFn` similarly to the “GOOD” example in the background: check that the value is a string and not an array. Concretely:

- Read `req.query.workflowFn` into a variable that can be `string | string[] | undefined`.
- If the value is an array, reject the request with a 400 error explaining that only a single value is allowed.
- If the value is not a string or is empty, fall back to the default `'simple'` (or return an error, but the current logic already provides a default).
- Only after confirming it is a string, assign it to `workflowFn` and use `.includes('.')`, `.split('.')`, and error messages.

All these changes occur in `workbench/nextjs-webpack/pages/api/trigger-pages.ts`, specifically around lines 34–38 where `workflowFn` is currently derived.

Signed-off-by: kochengrac <[email protected]>
@kochrac kochrac requested a review from a team as a code owner March 2, 2026 20:44
@changeset-bot
Copy link

changeset-bot bot commented Mar 2, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 28775f7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Contributor

vercel bot commented Mar 2, 2026

@kochrac is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

@VaguelySerious
Copy link
Member

VaguelySerious commented Mar 2, 2026

@kochrac What problem does this solve? Are you seeing arrays being passed in any case?

@pranaygp
Copy link
Collaborator

pranaygp commented Mar 3, 2026

this looks like our internal workbench test app. not relevant to workflow usage so I'm not sure why you're making this PR?

@pranaygp pranaygp closed this Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kochrac @VaguelySerious @pranaygp