fix(monday): validate all numeric IDs and sanitize columns in GraphQL queries

waleedlatif1 · claude · waleedlatif1 · commit 210cab9a6ecc · 2026-04-16T19:46:58.000-07:00
- Add sanitizeNumericId() helper to tools/monday/utils.ts for consistent
  validation across all tool body builders
- Apply to all 13 instances of boardId, itemId, parentItemId interpolation
  across 11 tool files, preventing GraphQL injection via crafted IDs
- Wrap JSON.parse in search_items.ts with try-catch for user-friendly
  error on malformed column filter JSON

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/tools/monday/archive_item.ts b/apps/sim/tools/monday/archive_item.ts
@@ -1,5 +1,10 @@
 import type { MondayArchiveItemParams, MondayArchiveItemResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayArchiveItemTool: ToolConfig<MondayArchiveItemParams, MondayArchiveItemResponse> =
@@ -34,7 +39,7 @@ export const mondayArchiveItemTool: ToolConfig<MondayArchiveItemParams, MondayAr
       method: 'POST',
       headers: (params) => mondayHeaders(params.accessToken),
       body: (params) => ({
-        query: `mutation { archive_item(item_id: ${params.itemId}) { id } }`,
+        query: `mutation { archive_item(item_id: ${sanitizeNumericId(params.itemId, 'itemId')}) { id } }`,
       }),
     },
 
diff --git a/apps/sim/tools/monday/create_group.ts b/apps/sim/tools/monday/create_group.ts
@@ -1,5 +1,10 @@
 import type { MondayCreateGroupParams, MondayCreateGroupResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayCreateGroupTool: ToolConfig<MondayCreateGroupParams, MondayCreateGroupResponse> =
@@ -47,7 +52,7 @@ export const mondayCreateGroupTool: ToolConfig<MondayCreateGroupParams, MondayCr
       headers: (params) => mondayHeaders(params.accessToken),
       body: (params) => {
         const args: string[] = [
-          `board_id: ${params.boardId}`,
+          `board_id: ${sanitizeNumericId(params.boardId, 'boardId')}`,
           `group_name: ${JSON.stringify(params.groupName)}`,
         ]
         if (params.groupColor) {
diff --git a/apps/sim/tools/monday/create_item.ts b/apps/sim/tools/monday/create_item.ts
@@ -1,5 +1,10 @@
 import type { MondayCreateItemParams, MondayCreateItemResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayCreateItemTool: ToolConfig<MondayCreateItemParams, MondayCreateItemResponse> = {
@@ -53,7 +58,7 @@ export const mondayCreateItemTool: ToolConfig<MondayCreateItemParams, MondayCrea
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => {
       const args: string[] = [
-        `board_id: ${params.boardId}`,
+        `board_id: ${sanitizeNumericId(params.boardId, 'boardId')}`,
         `item_name: ${JSON.stringify(params.itemName)}`,
       ]
       if (params.groupId) {
diff --git a/apps/sim/tools/monday/create_subitem.ts b/apps/sim/tools/monday/create_subitem.ts
@@ -1,5 +1,10 @@
 import type { MondayCreateSubitemParams, MondayCreateSubitemResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayCreateSubitemTool: ToolConfig<
@@ -49,7 +54,7 @@ export const mondayCreateSubitemTool: ToolConfig<
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => {
       const args: string[] = [
-        `parent_item_id: ${params.parentItemId}`,
+        `parent_item_id: ${sanitizeNumericId(params.parentItemId, 'parentItemId')}`,
         `item_name: ${JSON.stringify(params.itemName)}`,
       ]
       if (params.columnValues) {
diff --git a/apps/sim/tools/monday/create_update.ts b/apps/sim/tools/monday/create_update.ts
@@ -1,5 +1,10 @@
 import type { MondayCreateUpdateParams, MondayCreateUpdateResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayCreateUpdateTool: ToolConfig<
@@ -42,7 +47,7 @@ export const mondayCreateUpdateTool: ToolConfig<
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => ({
-      query: `mutation { create_update(item_id: ${params.itemId}, body: ${JSON.stringify(params.body)}) { id body text_body created_at creator_id item_id } }`,
+      query: `mutation { create_update(item_id: ${sanitizeNumericId(params.itemId, 'itemId')}, body: ${JSON.stringify(params.body)}) { id body text_body created_at creator_id item_id } }`,
     }),
   },
 
diff --git a/apps/sim/tools/monday/delete_item.ts b/apps/sim/tools/monday/delete_item.ts
@@ -1,5 +1,10 @@
 import type { MondayDeleteItemParams, MondayDeleteItemResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayDeleteItemTool: ToolConfig<MondayDeleteItemParams, MondayDeleteItemResponse> = {
@@ -33,7 +38,7 @@ export const mondayDeleteItemTool: ToolConfig<MondayDeleteItemParams, MondayDele
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => ({
-      query: `mutation { delete_item(item_id: ${params.itemId}) { id } }`,
+      query: `mutation { delete_item(item_id: ${sanitizeNumericId(params.itemId, 'itemId')}) { id } }`,
     }),
   },
 
diff --git a/apps/sim/tools/monday/get_board.ts b/apps/sim/tools/monday/get_board.ts
@@ -1,5 +1,10 @@
 import type { MondayGetBoardParams, MondayGetBoardResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayGetBoardTool: ToolConfig<MondayGetBoardParams, MondayGetBoardResponse> = {
@@ -33,7 +38,7 @@ export const mondayGetBoardTool: ToolConfig<MondayGetBoardParams, MondayGetBoard
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => ({
-      query: `query { boards(ids: [${params.boardId}]) { id name description state board_kind items_count url updated_at groups { id title color archived deleted position } columns { id title type } } }`,
+      query: `query { boards(ids: [${sanitizeNumericId(params.boardId, 'boardId')}]) { id name description state board_kind items_count url updated_at groups { id title color archived deleted position } columns { id title type } } }`,
     }),
   },
 
diff --git a/apps/sim/tools/monday/get_item.ts b/apps/sim/tools/monday/get_item.ts
@@ -1,5 +1,10 @@
 import type { MondayGetItemParams, MondayGetItemResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayGetItemTool: ToolConfig<MondayGetItemParams, MondayGetItemResponse> = {
@@ -33,7 +38,7 @@ export const mondayGetItemTool: ToolConfig<MondayGetItemParams, MondayGetItemRes
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => ({
-      query: `query { items(ids: [${params.itemId}]) { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } }`,
+      query: `query { items(ids: [${sanitizeNumericId(params.itemId, 'itemId')}]) { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } }`,
     }),
   },
 
diff --git a/apps/sim/tools/monday/get_items.ts b/apps/sim/tools/monday/get_items.ts
@@ -1,5 +1,10 @@
 import type { MondayGetItemsParams, MondayGetItemsResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 function mapItem(item: Record<string, unknown>): {
@@ -81,13 +86,14 @@ export const mondayGetItemsTool: ToolConfig<MondayGetItemsParams, MondayGetItems
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => {
       const limit = params.limit ?? 25
+      const boardId = sanitizeNumericId(params.boardId, 'boardId')
       if (params.groupId) {
         return {
-          query: `query { boards(ids: [${params.boardId}]) { groups(ids: [${JSON.stringify(params.groupId)}]) { items_page(limit: ${limit}) { items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } } } }`,
+          query: `query { boards(ids: [${boardId}]) { groups(ids: [${JSON.stringify(params.groupId)}]) { items_page(limit: ${limit}) { items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } } } }`,
         }
       }
       return {
-        query: `query { boards(ids: [${params.boardId}]) { items_page(limit: ${limit}) { items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } } }`,
+        query: `query { boards(ids: [${boardId}]) { items_page(limit: ${limit}) { items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } } }`,
       }
     },
   },
diff --git a/apps/sim/tools/monday/move_item_to_group.ts b/apps/sim/tools/monday/move_item_to_group.ts
@@ -2,7 +2,12 @@ import type {
   MondayMoveItemToGroupParams,
   MondayMoveItemToGroupResponse,
 } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayMoveItemToGroupTool: ToolConfig<
@@ -45,7 +50,7 @@ export const mondayMoveItemToGroupTool: ToolConfig<
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => ({
-      query: `mutation { move_item_to_group(item_id: ${params.itemId}, group_id: ${JSON.stringify(params.groupId)}) { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } }`,
+      query: `mutation { move_item_to_group(item_id: ${sanitizeNumericId(params.itemId, 'itemId')}, group_id: ${JSON.stringify(params.groupId)}) { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } }`,
     }),
   },
 
diff --git a/apps/sim/tools/monday/search_items.ts b/apps/sim/tools/monday/search_items.ts
@@ -1,5 +1,10 @@
 import type { MondaySearchItemsParams, MondaySearchItemsResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondaySearchItemsTool: ToolConfig<MondaySearchItemsParams, MondaySearchItemsResponse> =
@@ -59,12 +64,20 @@ export const mondaySearchItemsTool: ToolConfig<MondaySearchItemsParams, MondaySe
             query: `query { next_items_page(limit: ${limit}, cursor: ${JSON.stringify(params.cursor)}) { cursor items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } }`,
           }
         }
-        const columnsJson =
-          typeof params.columns === 'string'
-            ? JSON.stringify(JSON.parse(params.columns))
-            : JSON.stringify(params.columns)
+        const boardId = sanitizeNumericId(params.boardId, 'boardId')
+        let columnsJson: string
+        try {
+          columnsJson =
+            typeof params.columns === 'string'
+              ? JSON.stringify(JSON.parse(params.columns))
+              : JSON.stringify(params.columns)
+        } catch {
+          throw new Error(
+            'Column filters must be a valid JSON array, e.g. [{"column_id":"status","column_values":["Done"]}]'
+          )
+        }
         return {
-          query: `query { items_page_by_column_values(limit: ${limit}, board_id: ${params.boardId}, columns: ${columnsJson}) { cursor items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } }`,
+          query: `query { items_page_by_column_values(limit: ${limit}, board_id: ${boardId}, columns: ${columnsJson}) { cursor items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } }`,
         }
       },
     },
diff --git a/apps/sim/tools/monday/update_item.ts b/apps/sim/tools/monday/update_item.ts
@@ -1,5 +1,10 @@
 import type { MondayUpdateItemParams, MondayUpdateItemResponse } from '@/tools/monday/types'
-import { extractMondayError, MONDAY_API_URL, mondayHeaders } from '@/tools/monday/utils'
+import {
+  extractMondayError,
+  MONDAY_API_URL,
+  mondayHeaders,
+  sanitizeNumericId,
+} from '@/tools/monday/utils'
 import type { ToolConfig } from '@/tools/types'
 
 export const mondayUpdateItemTool: ToolConfig<MondayUpdateItemParams, MondayUpdateItemResponse> = {
@@ -46,7 +51,7 @@ export const mondayUpdateItemTool: ToolConfig<MondayUpdateItemParams, MondayUpda
     method: 'POST',
     headers: (params) => mondayHeaders(params.accessToken),
     body: (params) => ({
-      query: `mutation { change_multiple_column_values(item_id: ${params.itemId}, board_id: ${params.boardId}, column_values: ${JSON.stringify(params.columnValues)}) { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } }`,
+      query: `mutation { change_multiple_column_values(item_id: ${sanitizeNumericId(params.itemId, 'itemId')}, board_id: ${sanitizeNumericId(params.boardId, 'boardId')}, column_values: ${JSON.stringify(params.columnValues)}) { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } }`,
     }),
   },
 
diff --git a/apps/sim/tools/monday/utils.ts b/apps/sim/tools/monday/utils.ts
@@ -8,6 +8,18 @@ export function mondayHeaders(accessToken: string): Record<string, string> {
   }
 }
 
+/**
+ * Validates that a Monday.com numeric ID (boardId, itemId, etc.) contains only digits.
+ * Throws with a user-friendly message if invalid, preventing GraphQL injection.
+ */
+export function sanitizeNumericId(value: string | number, paramName: string): string {
+  const str = String(value).trim()
+  if (!/^\d+$/.test(str)) {
+    throw new Error(`${paramName} must be a numeric integer`)
+  }
+  return str
+}
+
 export function extractMondayError(data: Record<string, unknown>): string | null {
   if (data.errors && Array.isArray(data.errors) && data.errors.length > 0) {
     const messages = (data.errors as Array<Record<string, unknown>>)
