From d9e5f123025c7eb91033d460ea2fed3634873997 Mon Sep 17 00:00:00 2001
From: Ildar Nurislamov <absorbb@gmail.com>
Date: Wed, 27 Dec 2023 11:58:21 +0400
Subject: [PATCH] ingest: length and symbol restriction for track event names

---
 ingest/router.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ingest/router.go b/ingest/router.go
index 05b73e5..05509f4 100644
--- a/ingest/router.go
+++ b/ingest/router.go
@@ -36,7 +36,7 @@ var eventTypesDict = map[string]string{
 
 var eventTypesSet = utils.NewSet("page", "identify", "track", "group", "alias", "screen")
 
-var notAllowedEventNameChars = regexp.MustCompile("[^a-zA-Z0-9_ :-]+")
+var notAllowedEventNameChars = regexp.MustCompile("[^a-zA-Z0-9_ :'/-]+")
 
 type Router struct {
 	*appbase.Router
@@ -208,6 +208,7 @@ func patchEvent(c *gin.Context, messageId string, event *AnalyticsServerEvent, t
 			return fmt.Errorf("'event' property is required for 'track' event")
 		}
 		if notAllowedEventNameChars.MatchString(eventName) || strings.Contains(eventName, "--") {
+			// we allow '-',''','/' and ':' symbols because existing clients already use them. But we don't allow '--' because it's SQL comment (used in SQL injection)
 			return fmt.Errorf("Invalid track event name '%s'. Only alpha-numeric characters, underscores and spaces are allowed in track event name.", eventName)
 		}
 		if len(eventName) > 64 {