Potential fix for code scanning alert no. 232: Server-side request forgery

[breadddevv]

Potential fix for https://github.com/PlanetaryOrbit/orbit/security/code-scanning/232

General fix: never interpolate raw router.query values directly into request URLs. Normalize query params to a single string and validate against a strict allowlist/pattern (and reject arrays/invalid characters) before building the path.

Best targeted fix in pages/workspace/[id]/views.tsx:

• Add a small helper to safely extract and validate router.query.id as a path-safe workspace ID.
• In massAction, resolve workspaceId once via the helper; if invalid, show an error and abort.
• Replace both URL templates using router.query.id with workspaceId (safe validated value).

This preserves functionality while removing tainted direct flow into axios URL construction.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Added validation for workspace identifiers in mass actions
  • Invalid workspace data now triggers an error notification
  • Improved API request reliability through validated workspace handling

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c0d3933c-9d6a-4b88-b281-214fdbd1cd9d

📥 Commits

Reviewing files that changed from the base of the PR and between d0fc290 and c409ff0.

📒 Files selected for processing (1)

• pages/workspace/[id]/views.tsx

---

📝 Walkthrough

Walkthrough

Adds input validation for workspace IDs in mass action operations. A new getSafeWorkspaceId function validates that router.query.id is a string with allowed characters. The mass action handler now validates the ID, displays error toast for invalid values, and uses the validated ID in API request URLs.

Changes

Cohort / File(s)	Summary
Input Validation for Mass Actions pages/workspace/[id]/views.tsx	Introduces getSafeWorkspaceId function to validate workspace ID from router query. Updates massAction to validate the ID before execution, show error toast on invalid input, and use validated ID in API request URLs for "add" activity and "userbook new" operations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Potential fix for code scanning alert no. 202: Server-side request forgery #131: Implements the same validation pattern for normalizing and validating workspace IDs from router queries, preventing unsafe URL interpolation in API requests.

Poem

🐰 A hop through safety's garden bright,
Where workspace IDs pass the test,
No fuzzy strings in our requests—
Just validated paths, pure and right! ✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-232

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}