From ce086217fd6f36c6a56cedc41d596113e9d9eeb3 Mon Sep 17 00:00:00 2001
From: Bartosz Sypytkowski <b.sypytkowski@gmail.com>
Date: Mon, 9 Dec 2024 08:22:17 +0100
Subject: [PATCH] fix: add validation to to list database row details endpoint
 (#1055)

---
 src/api/workspace.rs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/api/workspace.rs b/src/api/workspace.rs
index 669938ef..7c966bea 100644
--- a/src/api/workspace.rs
+++ b/src/api/workspace.rs
@@ -1985,6 +1985,21 @@ async fn list_database_row_details_handler(
   let list_db_row_query = param.into_inner();
   let row_ids = list_db_row_query.into_ids();
 
+  if let Err(e) = Uuid::parse_str(&workspace_id) {
+    return Err(
+      AppError::InvalidRequest(format!("invalid workspace id `{}`: {}", db_id, e)).into(),
+    );
+  }
+  if let Err(e) = Uuid::parse_str(&db_id) {
+    return Err(AppError::InvalidRequest(format!("invalid database id `{}`: {}", db_id, e)).into());
+  }
+
+  for id in row_ids.iter() {
+    if let Err(e) = Uuid::parse_str(id) {
+      return Err(AppError::InvalidRequest(format!("invalid row id `{}`: {}", id, e)).into());
+    }
+  }
+
   state
     .workspace_access_control
     .enforce_action(&uid, &workspace_id, Action::Read)