UN-3318 [FIX] Allow apostrophes in Platform API Key name and description#1994
Merged
Conversation
The SAFE_TEXT allow-list regex (introduced in #1860) rejected apostrophes, blocking valid names like "Chandru's key". Apostrophe is XSS-irrelevant under React auto-escaping and Django ORM parameterization; the comment's stated intent is only "no HTML tags or angle brackets", which is preserved. Downstream service-account email construction already self-sanitizes via re.sub, so it is unaffected. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
Summary by CodeRabbit
WalkthroughBackend and frontend input validation patterns are independently updated: the backend now allows apostrophes in safe-text fields, while the frontend disallows closing parentheses. Both changes update corresponding error messages to reflect the new character restrictions. ChangesInput Validation Pattern Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
|
| Filename | Overview |
|---|---|
| backend/platform_api/serializers.py | Adds apostrophe to SAFE_TEXT_PATTERN regex and updates error message; change is minimal and correct. |
| frontend/src/components/settings/platform-api-keys/PlatformApiKeys.jsx | Adds apostrophe to SAFE_TEXT_REGEX and updates user-facing message to match backend change. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[User submits API key name/description] --> B{Frontend SAFE_TEXT_REGEX}
B -- "matches [a-zA-Z0-9 \-_.,:'()/]+" --> C[Form passes client-side validation]
B -- "fails (e.g. HTML tags)" --> D[Show SAFE_TEXT_MESSAGE to user]
C --> E[POST/PATCH to backend]
E --> F{Backend validate_safe_text}
F -- "passes SAFE_TEXT_PATTERN" --> G[Check name uniqueness per org]
F -- "fails" --> H[Return 400 with SAFE_TEXT_ERROR]
G -- "unique" --> I[Save PlatformApiKey to DB via ORM]
G -- "duplicate" --> J[Return 400 duplicate-name error]
Reviews (2): Last reviewed commit: "Merge branch 'main' into fix/platform-ke..." | Re-trigger Greptile
Deepak-Kesavan
approved these changes
May 27, 2026
johnyrahul
approved these changes
May 27, 2026
Contributor
Frontend Lint Report (Biome)✅ All checks passed! No linting or formatting issues found. |
|
Contributor
Test ResultsSummary
Runner Tests - Full Report
SDK1 Tests - Full Report
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
') in the Platform API Keynameanddescriptionfields on both frontend validation and backend serializer.Why
SAFE_TEXTallow-list regex introduced with UN-3318 [FEAT] Platform API key implementation #1860 rejected apostrophes, blocking valid names likeChandru's key.How
backend/platform_api/serializers.py: added'toSAFE_TEXT_PATTERNand updatedSAFE_TEXT_ERRORmessage.frontend/src/components/settings/platform-api-keys/PlatformApiKeys.jsx: added'toSAFE_TEXT_REGEXand updatedSAFE_TEXT_MESSAGE.Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
services._slugify_for_email) already self-sanitizes viare.sub(r"[^a-z0-9\-]", "", slug), so the email/username path is unaffected.(name, organization)is unchanged.Database Migrations
Env Config
Relevant Docs
Related Issues or PRs
SAFE_TEXT_PATTERN).Dependencies Versions
Notes on Testing
Chandru's keyand descriptionJohn's prod token— both should now save.<script>) is still rejected.Screenshots
N/A — text validation change only.
Checklist
I have read and understood the Contribution Guidelines.