fix(jira): quote project key in JQL to defend against injection

waleedlatif1 · waleedlatif1 · commit 16111b90d818 · 2026-04-29T18:42:50.000-07:00
diff --git a/apps/sim/app/api/tools/jira/issues/route.ts b/apps/sim/app/api/tools/jira/issues/route.ts
@@ -172,7 +172,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
 
       const buildUrl = (token?: string) => {
         const jqlParts: string[] = []
-        if (projectKey) jqlParts.push(`project = ${projectKey}`)
+        if (projectKey) jqlParts.push(`project = "${escapeJql(projectKey)}"`)
         if (query) {
           const q = escapeJql(query)
           jqlParts.push(`(key ~ "${q}" OR summary ~ "${q}")`)
