fix: validate client before adding to url parameters

[815are]

Attempt to fix sonar issue ->

Ensure that tainted data is validated before being used to construct a client-side request URL.

https://sonarcloud.io/organizations/sap-1/rules?open=tssecurity%3AS8476&rule_key=tssecurity%3AS8476

in -> https://github.com/SAP/open-ux-tools/blob/main/packages/preview-middleware-client/src/flp/init.ts#L190-L193

[changeset-bot]

🦋 Changeset detected

Latest commit: 1524f12

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@sap-ux-private/preview-middleware-client	Patch
@sap-ux/preview-middleware	Patch
@sap-ux/create	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[heimwege]

The core fix is correct and sufficient to satisfy the SonarCloud rule. The tests are well-structured.

[hyperspace-insights]

Summary

The following content is AI-generated and provides a summary of the pull request:

---

Fix: Validate sap-client Parameter Before Appending to URL

Bug Fix

🐛 Resolves a SonarCloud security issue (tssecurity:S8476) by validating the sap-client URL parameter before using it to construct a client-side request URL in registerComponentDependencyPaths.

Previously, only the length of the sap-client value was checked (must be 3 characters). Now, an additional regex check ensures the value consists entirely of digits (/^\d+$/), preventing potentially tainted non-numeric data from being injected into the URL.

Changes

• packages/preview-middleware-client/src/flp/init.ts: Added a numeric-only regex validation (/^\d+$/.test(sapClient)) alongside the existing length check for the sap-client URL parameter.
• packages/preview-middleware-client/test/unit/flp/init.test.ts: Added a dedicated describe block with parameterized tests covering valid clients (e.g. '001'), clients containing non-numeric characters (e.g. 'T12'), and clients exceeding 3 characters (e.g. '4444'). Also added fetchMock.mockReset() to beforeEach to improve test isolation and a minor whitespace cleanup.
• .changeset/sparkly-clocks-laugh.md: Added a patch-level changeset entry for @sap-ux-private/preview-middleware-client describing the fix.

---

• 🔄 Regenerate and Update Summary
• ✏️ Insert as PR Description (deletes this comment)
• 🗑️ Delete comment

PR Bot Information

Version: 1.20.43

• Event Trigger: pull_request.ready_for_review
• Summary Prompt: Default Prompt
• File Content Strategy: Full file content
• Output Template: Default Template
• Correlation ID: 595a23c2-8f63-4802-84ca-09fbec0a5980
• LLM: anthropic--claude-4.6-sonnet

[hyperspace-insights]

The PR correctly validates that sap-client is exactly 3 digits before appending it to the URL, which resolves the Sonar finding. Two issues worth addressing: the libs value built from manifest keys is still concatenated into the URL without encoding (a similar tainted-data risk), and the test suite is missing a case for a client value shorter than 3 characters, leaving that branch untested.

PR Bot Information

Version: 1.20.43

• Event Trigger: pull_request.ready_for_review
• File Content Strategy: Full file content
• Correlation ID: 595a23c2-8f63-4802-84ca-09fbec0a5980
• LLM: anthropic--claude-4.6-sonnet
• Agent Instructions:
  • AGENTS.md
  • CLAUDE.md

[heimwege]

re-approve

[vadson71]

Code changes look good
Covered by test
Didn't test locally

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Klaus-Keller]

Thanks @815are!

• changes to validate URL parameters looks good, exactly 3 digits
• changeset has been added, patch is correct
• test coverage is great
• did a visual and AI aided review

Approved from my side.