Skip to content

fix: add max length validation to environment name#7087

Merged
adilsitos merged 3 commits into
Infisical:mainfrom
Abdul-Moiz31:fix/environment-name-max-length
Jun 30, 2026
Merged

fix: add max length validation to environment name#7087
adilsitos merged 3 commits into
Infisical:mainfrom
Abdul-Moiz31:fix/environment-name-max-length

Conversation

@Abdul-Moiz31

Copy link
Copy Markdown
Contributor

Context

Environment name field had no max length validation on the backend — only z.string().trim() with no upper bound. The slug field correctly enforced max(64) via slugSchema, but name was inconsistent.

Submitting a name longer than 64 characters via the API bypassed all validation and would either store an unreasonably long string or produce a raw PostgreSQL 500 error at 255+ chars, instead of a proper 400 response.

Closes #7086

Screenshots

Before

Screenshot 2026-06-30 at 12 33 23 PM

After

image image

Steps to verify the change

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Updated CLAUDE.md files (if needed)
  • Read the contributing guide

@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds min(1).max(64) validation to the name field on the create and update environment routes in the v1 project-env router, matching the existing max(64) constraint already enforced on the slug field.

  • The fix in project-env-router.ts correctly closes the unbounded-input path on the current v1 endpoints.
  • The deprecated router (deprecated-project-env-router.ts) has identical name fields on its create and update routes that were not updated, leaving the same bypass accessible via those endpoints.
  • The frontend forms (AddEnvironmentModal, UpdateEnvironmentModal) also lack a matching max(64) constraint, so users exceeding the limit will receive a backend error rather than a client-side message.

Confidence Score: 3/5

The fix only covers one of two routers that share the same validation gap; the deprecated endpoints remain unprotected.

The deprecated router still accepts unbounded environment names on both its create and update endpoints, meaning the PostgreSQL-level 500 error can still be triggered through those paths. The change is incomplete.

backend/src/server/routes/v1/deprecated-project-env-router.ts — the name field on lines 131 and 194 needs the same min(1).max(64) constraints applied in this PR.

Important Files Changed

Filename Overview
backend/src/server/routes/v1/project-env-router.ts Adds min(1).max(64) to the name field on both the create and update environment routes — correct and consistent with the existing slugSchema({ max: 64 }) constraint.

Reviews (1): Last reviewed commit: "fix: add max length validation to enviro..." | Re-trigger Greptile

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e5d4c21cb1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread backend/src/server/routes/v1/project-env-router.ts Outdated

@adilsitos adilsitos left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution @Abdul-Moiz31! This is a nice addition, but we need to support longer strings, can you update it to be 255?

@Abdul-Moiz31

Copy link
Copy Markdown
Contributor Author

@adilsitos Sure will update in a min

@Abdul-Moiz31

Copy link
Copy Markdown
Contributor Author

@adilsitos Updated
max length is now 255 on both the current and deprecated router endpoints.
Please review

@adilsitos adilsitos left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll just wait the test finish and will merge it.

@MubeenKodvavi MubeenKodvavi left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Abdul-Moiz31 can you edit the PR description aswell that 255 char limit is utilised due to postgres VARCHAR field.

Also remove slug references. It is a seperate field and name constraints should not depend on it, as its uniqueness is ensured at API level. @adilsitos For extra safety, unique DB constraint for slug's references on project_environments table.

@adilsitos adilsitos merged commit aca62f5 into Infisical:main Jun 30, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Missing max length validation on environment name in create/update endpoints

3 participants