fix(jira): quote project key in bulk_read JQL for defense in depth

waleedlatif1 · claude · waleedlatif1 · commit 952d1a924830 · 2026-04-29T18:49:01.000-07:00
The alphanumeric regex check above already blocks injection, but quoting
the project key matches the pattern used elsewhere (issues/route.ts) and
hardens the path against future regex changes.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/tools/jira/bulk_read.ts b/apps/sim/tools/jira/bulk_read.ts
@@ -93,7 +93,7 @@ export const jiraBulkRetrieveTool: ToolConfig<JiraRetrieveBulkParams, JiraRetrie
         `Invalid Jira project key "${projectKey}". Expected an alphanumeric project key (e.g., PROJ).`
       )
     }
-    const jql = `project = ${projectKey} ORDER BY updated DESC`
+    const jql = `project = "${projectKey}" ORDER BY updated DESC`
 
     let collected: any[] = []
     let nextPageToken: string | undefined

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ export const jiraBulkRetrieveTool: ToolConfig<JiraRetrieveBulkParams, JiraRetrie`
`93`	`93`	`Invalid Jira project key "${projectKey}". Expected an alphanumeric project key (e.g., PROJ).`
`94`	`94`	`)`
`95`	`95`	`}`
`96`		- const jql = `project = ${projectKey} ORDER BY updated DESC`
	`96`	+ const jql = `project = "${projectKey}" ORDER BY updated DESC`
`97`	`97`
`98`	`98`	`let collected: any[] = []`
`99`	`99`	`let nextPageToken: string \| undefined`