ingest: length and symbol restriction for track event names

jitsucom · Dec 27, 2023 · d9e5f12 · d9e5f12
1 parent 256bcee
commit d9e5f12
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/ingest/router.go b/ingest/router.go
@@ -36,7 +36,7 @@ var eventTypesDict = map[string]string{
 
 var eventTypesSet = utils.NewSet("page", "identify", "track", "group", "alias", "screen")
 
-var notAllowedEventNameChars = regexp.MustCompile("[^a-zA-Z0-9_ :-]+")
+var notAllowedEventNameChars = regexp.MustCompile("[^a-zA-Z0-9_ :'/-]+")
 
 type Router struct {
 	*appbase.Router
@@ -208,6 +208,7 @@ func patchEvent(c *gin.Context, messageId string, event *AnalyticsServerEvent, t
 			return fmt.Errorf("'event' property is required for 'track' event")
 		}
 		if notAllowedEventNameChars.MatchString(eventName) || strings.Contains(eventName, "--") {
+			// we allow '-',''','/' and ':' symbols because existing clients already use them. But we don't allow '--' because it's SQL comment (used in SQL injection)
 			return fmt.Errorf("Invalid track event name '%s'. Only alpha-numeric characters, underscores and spaces are allowed in track event name.", eventName)
 		}
 		if len(eventName) > 64 {