From 33f5cbeca69b3cd1b09c476de17cdcb8c18ba28c Mon Sep 17 00:00:00 2001
From: Steven Nguyen <stnguyen90@users.noreply.github.com>
Date: Fri, 23 Jun 2023 16:07:58 -0700
Subject: [PATCH] Restrict characters for project ID

Only allow lowercase alphanumeric chars and hyphens
because the project ID is used as part of url
schemes to redirect users back to mobile apps
and certain characters are not allowed.
---
 app/controllers/api/projects.php              |  4 +-
 .../Utopia/Database/Validator/ProjectId.php   | 56 +++++++++++++++++++
 .../Database/Validator/ProjectIdTest.php      | 47 ++++++++++++++++
 3 files changed, 105 insertions(+), 2 deletions(-)
 create mode 100644 src/Appwrite/Utopia/Database/Validator/ProjectId.php
 create mode 100644 tests/unit/Utopia/Database/Validator/ProjectIdTest.php

diff --git a/app/controllers/api/projects.php b/app/controllers/api/projects.php
index b5c37ce969..cc8c618c81 100644
--- a/app/controllers/api/projects.php
+++ b/app/controllers/api/projects.php
@@ -9,7 +9,7 @@ use Appwrite\Network\Validator\CNAME;
 use Utopia\Validator\Domain as DomainValidator;
 use Appwrite\Network\Validator\Origin;
 use Utopia\Validator\URL;
-use Appwrite\Utopia\Database\Validator\CustomId;
+use Appwrite\Utopia\Database\Validator\ProjectId;
 use Appwrite\Utopia\Response;
 use Utopia\Abuse\Adapters\TimeLimit;
 use Utopia\App;
@@ -56,7 +56,7 @@ App::post('/v1/projects')
     ->label('sdk.response.code', Response::STATUS_CODE_CREATED)
     ->label('sdk.response.type', Response::CONTENT_TYPE_JSON)
     ->label('sdk.response.model', Response::MODEL_PROJECT)
-    ->param('projectId', '', new CustomId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, A-Z, 0-9, period, hyphen, and underscore. Can\'t start with a special char. Max length is 36 chars.')
+    ->param('projectId', '', new ProjectId(), 'Unique Id. Choose a custom ID or generate a random ID with `ID.unique()`. Valid chars are a-z, and hyphen. Can\'t start with a special char. Max length is 36 chars.')
     ->param('name', null, new Text(128), 'Project name. Max length: 128 chars.')
     ->param('teamId', '', new UID(), 'Team unique ID.')
     ->param('region', App::getEnv('_APP_REGION', 'default'), new Whitelist(array_keys(array_filter(Config::getParam('regions'), fn($config) => !$config['disabled']))), 'Project Region.', true)
diff --git a/src/Appwrite/Utopia/Database/Validator/ProjectId.php b/src/Appwrite/Utopia/Database/Validator/ProjectId.php
new file mode 100644
index 0000000000..46b0cdf53e
--- /dev/null
+++ b/src/Appwrite/Utopia/Database/Validator/ProjectId.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace Appwrite\Utopia\Database\Validator;
+
+use Utopia\Validator;
+
+class ProjectId extends Validator
+{
+    /**
+     * Is valid.
+     *
+     * Returns true if valid or false if not.
+     *
+     * @param $value
+     *
+     * @return bool
+     */
+    public function isValid($value): bool
+    {
+        return $value == 'unique()' || preg_match('/^[a-z0-9][a-z0-9-]{1,35}$/', $value);
+    }
+
+    /**
+     * Get description.
+     *
+     * @return string
+     */
+    public function getDescription(): string
+    {
+        return 'Project IDs must contain at most 36 chars. Valid chars are a-z, 0-9, and hyphen. Can\'t start with a special char.';
+    }
+
+    /**
+     * Is array
+     *
+     * Function will return true if object is array.
+     *
+     * @return bool
+     */
+    public function isArray(): bool
+    {
+        return false;
+    }
+
+    /**
+     * Get Type
+     *
+     * Returns validator type.
+     *
+     * @return string
+     */
+    public function getType(): string
+    {
+        return self::TYPE_STRING;
+    }
+}
diff --git a/tests/unit/Utopia/Database/Validator/ProjectIdTest.php b/tests/unit/Utopia/Database/Validator/ProjectIdTest.php
new file mode 100644
index 0000000000..feff6da726
--- /dev/null
+++ b/tests/unit/Utopia/Database/Validator/ProjectIdTest.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace Tests\Unit\Utopia\Database\Validator;
+
+use Appwrite\Utopia\Database\Validator\ProjectId;
+use PHPUnit\Framework\TestCase;
+
+class ProjectIdTest extends TestCase
+{
+    /**
+     * @var Key
+     */
+    protected $object = null;
+
+    public function setUp(): void
+    {
+        $this->object = new ProjectId();
+    }
+
+    public function tearDown(): void
+    {
+    }
+
+    /**
+     * @return array
+     */
+    public function provideTest(): array
+    {
+        return [
+            'unique()' => ['unique()', true],
+            'dashes' => ['as12-df34', true],
+            '36 chars' => [\str_repeat('a', 36), true],
+            'uppercase' => ['ABC', false],
+            'underscore' => ['under_score', false],
+            'leading dash' => ['-dash', false],
+            'too long' => [\str_repeat('a', 37), false],
+        ];
+    }
+
+    /**
+     * @dataProvider provideTest
+     */
+    public function testValues(string $input, bool $expected): void
+    {
+        $this->assertEquals($this->object->isValid($input), $expected);
+    }
+}