[bug][validation] Workspace name update accepts URLs and empty values (NoUrls/min-length enforced only at setup); error message is generic #127

New Issue

Ghost · 2026-06-22T06:27:50+03:00

Ghost commented

2026-06-22 06:27:50 +03:00

Severity: low (validation parity)

The workspace-name update path has weaker validation than the setup path and gives worse errors.

Findings (live):

Setting the workspace name to Visit https://evil.com now → POST /api/workspace/update 200, persisted. The setup form rejects URLs in names, but UpdateWorkspaceDto/CreateWorkspaceDto name has no @NoUrls (the validator exists and is used in invitation.dto.ts, just not here). See apps/server/src/core/workspace/dto/create-workspace.dto.ts.
Empty name is accepted; the Save button never disables (no dirty-tracking, no min-length, no client maxlength).
A 65-char over-limit name returns a generic toast "Failed to update data", whereas the adjacent tracker field returns a precise message ("trackerHead must be shorter than or equal to 20000 characters"). Inconsistent error quality for the same kind of violation, and the server's specific 400 message is swallowed in favor of the generic toast.

Suggested fix: apply @NoUrls/min-length on the workspace name DTO; disable Save when clean/empty; surface the server's specific validation message.

Filed from an automated full-product QA pass on develop @ v0.93.0-64-gb60190ff, fresh DB. Each item below was reproduced live in a clean browser session unless noted.

Screenshot

**Severity:** low (validation parity) The workspace-name update path has weaker validation than the setup path and gives worse errors. **Findings (live):** - Setting the workspace name to `Visit https://evil.com now` → `POST /api/workspace/update` **200**, persisted. The setup form rejects URLs in names, but `UpdateWorkspaceDto`/`CreateWorkspaceDto` `name` has no `@NoUrls` (the validator exists and is used in `invitation.dto.ts`, just not here). See `apps/server/src/core/workspace/dto/create-workspace.dto.ts`. - Empty name is accepted; the **Save** button never disables (no dirty-tracking, no min-length, no client maxlength). - A 65-char over-limit name returns a generic toast **"Failed to update data"**, whereas the adjacent tracker field returns a precise message ("trackerHead must be shorter than or equal to 20000 characters"). Inconsistent error quality for the same kind of violation, and the server's specific 400 message is swallowed in favor of the generic toast. **Suggested fix:** apply `@NoUrls`/min-length on the workspace name DTO; disable Save when clean/empty; surface the server's specific validation message. --- _Filed from an automated full-product QA pass on `develop` @ `v0.93.0-64-gb60190ff`, fresh DB. Each item below was reproduced live in a clean browser session unless noted._ ### Screenshot ![Issue 127: workspace Name saved as 'Visit https://evil.com now' with 'Updated successfully' toast](https://gitea.vvzvlad.xyz/attachments/4c595ffe-cee6-4fd3-9ad2-9f53b07e88c5)

ev-127-workspace-saved.png

101 KiB

Ghost referenced a pull request that will close this issue

2026-06-22 20:48:21 +03:00

fix(qa): resolve QA-pass issues #122–#134 #135

Ghost referenced this issue from a commit

2026-06-22 20:48:23 +03:00

fix(qa): resolve QA-pass issues #122–#134

vvzvlad closed this issue

2026-06-22 21:07:19 +03:00

Sign in to join this conversation.