add backend name validation for app creation / update

packages/server/src/api/routes/application.ts

@@ -2,16 +2,27 @@ import Router from "@koa/router"
 import * as controller from "../controllers/application"
 import authorized from "../../middleware/authorized"
 import { BUILDER } from "@budibase/backend-core/permissions"
+import { applicationValidator } from "./utils/validators"
 
 const router = new Router()
 
 router
   .post("/api/applications/:appId/sync", authorized(BUILDER), controller.sync)
-  .post("/api/applications", authorized(BUILDER), controller.create)
+  .post(
+    "/api/applications",
+    authorized(BUILDER),
+    applicationValidator(),
+    controller.create
+  )
   .get("/api/applications/:appId/definition", controller.fetchAppDefinition)
   .get("/api/applications", controller.fetch)
   .get("/api/applications/:appId/appPackage", controller.fetchAppPackage)
-  .put("/api/applications/:appId", authorized(BUILDER), controller.update)
+  .put(
+    "/api/applications/:appId",
+    authorized(BUILDER),
+    applicationValidator(),
+    controller.update
+  )
   .post(
     "/api/applications/:appId/client/update",
     authorized(BUILDER),

packages/server/src/api/routes/utils/validators.js

@@ -10,6 +10,7 @@ const Joi = require("joi")
 const OPTIONAL_STRING = Joi.string().optional().allow(null).allow("")
 const OPTIONAL_NUMBER = Joi.number().optional().allow(null)
 const OPTIONAL_BOOLEAN = Joi.boolean().optional().allow(null)
+const APP_NAME_REGEX = /^[\w\s]+$/
 
 exports.tableValidator = () => {
   // prettier-ignore
@@ -214,7 +215,7 @@ exports.applicationValidator = () => {
   return joiValidator.body(Joi.object({
     _id: OPTIONAL_STRING,
     _rev: OPTIONAL_STRING,
-    name: Joi.string().required(),
+    name: Joi.string().pattern(new RegExp(APP_NAME_REGEX)).required().error(new Error('App name must be letters, numbers and spaces only')),
     url: OPTIONAL_STRING,
     template: Joi.object({
       templateString: OPTIONAL_STRING,