fix: forbid creation of objects or fields with certain characters or with forbidden keywords that clashes with pg_graphql (#3957)

* fix: forbid creation of objects or fields with certain characters or with forbidden keywords that clashes with pg_graphql

* refactor: add a decorator for name validation and use it on fields

packages/twenty-server/src/metadata/decorators/is-valid-name.decorator.ts

@@ -0,0 +1,24 @@
+import {
+  registerDecorator,
+  ValidationOptions,
+  ValidationArguments,
+} from 'class-validator';
+
+export function IsValidName(validationOptions?: ValidationOptions) {
+  return function (object: object, propertyName: string) {
+    registerDecorator({
+      name: 'IsValidName',
+      target: object.constructor,
+      propertyName: propertyName,
+      options: validationOptions,
+      validator: {
+        validate(value: any) {
+          return /^(?!(?:not|or|and)$)[^'\"\\;.=*/]+$/.test(value);
+        },
+        defaultMessage(args: ValidationArguments) {
+          return `${args.property} has failed the name validation check`;
+        },
+      },
+    });
+  };
+}

packages/twenty-server/src/metadata/field-metadata/dtos/field-metadata.dto.ts

@@ -34,6 +34,7 @@ import { FieldMetadataType } from 'src/metadata/field-metadata/field-metadata.en
 import { BeforeDeleteOneField } from 'src/metadata/field-metadata/hooks/before-delete-one-field.hook';
 import { IsFieldMetadataDefaultValue } from 'src/metadata/field-metadata/validators/is-field-metadata-default-value.validator';
 import { IsFieldMetadataOptions } from 'src/metadata/field-metadata/validators/is-field-metadata-options.validator';
+import { IsValidName } from 'src/metadata/decorators/is-valid-name.decorator';
 
 registerEnumType(FieldMetadataType, {
   name: 'FieldMetadataType',
@@ -74,6 +75,7 @@ export class FieldMetadataDTO<
   @IsString()
   @IsNotEmpty()
   @Field()
+  @IsValidName()
   name: string;
 
   @IsString()

packages/twenty-server/src/metadata/object-metadata/dtos/create-object.input.ts

@@ -3,6 +3,7 @@ import { Field, HideField, InputType } from '@nestjs/graphql';
 import { BeforeCreateOne } from '@ptc-org/nestjs-query-graphql';
 import { IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';
 
+import { IsValidName } from 'src/metadata/decorators/is-valid-name.decorator';
 import { BeforeCreateOneObject } from 'src/metadata/object-metadata/hooks/before-create-one-object.hook';
 
 @InputType()
@@ -11,11 +12,13 @@ export class CreateObjectInput {
   @IsString()
   @IsNotEmpty()
   @Field()
+  @IsValidName()
   nameSingular: string;
 
   @IsString()
   @IsNotEmpty()
   @Field()
+  @IsValidName()
   namePlural: string;
 
   @IsString()

packages/twenty-server/src/metadata/object-metadata/dtos/update-object.input.ts

@@ -3,6 +3,7 @@ import { Field, InputType } from '@nestjs/graphql';
 import { BeforeUpdateOne } from '@ptc-org/nestjs-query-graphql';
 import { IsBoolean, IsOptional, IsString, IsUUID } from 'class-validator';
 
+import { IsValidName } from 'src/metadata/decorators/is-valid-name.decorator';
 import { BeforeUpdateOneObject } from 'src/metadata/object-metadata/hooks/before-update-one-object.hook';
 
 @InputType()
@@ -21,11 +22,13 @@ export class UpdateObjectInput {
   @IsString()
   @IsOptional()
   @Field({ nullable: true })
+  @IsValidName()
   nameSingular?: string;
 
   @IsString()
   @IsOptional()
   @Field({ nullable: true })
+  @IsValidName()
   namePlural?: string;
 
   @IsString()