Skip to content

Commit a477d4b

Browse files
benvinegarbenvinegar
committed
extensions: validate Notion IDs before API calls
1 parent ec6b6b4 commit a477d4b

1 file changed

Lines changed: 17 additions & 4 deletions

File tree

pi/extensions/notion.ts

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,14 @@ function formatBlockContent(block: any, indent = 0): string {
133133
}
134134
}
135135

136+
function parseNotionId(rawId: string, fieldName: "page_id" | "database_id") {
137+
const normalizedId = rawId.replace(/-/g, "").trim();
138+
if (!/^[a-f0-9]{32}$/i.test(normalizedId)) {
139+
return { error: `❌ ${fieldName} must be a valid Notion ID (32 hex characters).` };
140+
}
141+
return { value: normalizedId };
142+
}
143+
136144
// ── Action handlers ───────────────────────────────────────────────────────────
137145

138146
async function handleSearch(params: any): Promise<string> {
@@ -177,8 +185,9 @@ async function handleSearch(params: any): Promise<string> {
177185
async function handleGet(params: any): Promise<string> {
178186
if (!params.page_id) return "❌ page_id is required for get action.";
179187

180-
// Remove hyphens from page_id if present (Notion accepts both formats)
181-
const pageId = params.page_id.replace(/-/g, "");
188+
const parsedPageId = parseNotionId(params.page_id, "page_id");
189+
if (parsedPageId.error) return parsedPageId.error;
190+
const pageId = parsedPageId.value;
182191

183192
// Get page metadata
184193
const page = await notionRequest(`/pages/${pageId}`);
@@ -223,7 +232,9 @@ async function handleGet(params: any): Promise<string> {
223232
async function handleList(params: any): Promise<string> {
224233
if (!params.database_id) return "❌ database_id is required for list action.";
225234

226-
const databaseId = params.database_id.replace(/-/g, "");
235+
const parsedDatabaseId = parseNotionId(params.database_id, "database_id");
236+
if (parsedDatabaseId.error) return parsedDatabaseId.error;
237+
const databaseId = parsedDatabaseId.value;
227238
const limit = Math.min(params.limit || 20, 100);
228239

229240
const body: any = {
@@ -314,7 +325,9 @@ async function handleList(params: any): Promise<string> {
314325
async function handleDatabase(params: any): Promise<string> {
315326
if (!params.database_id) return "❌ database_id is required for database action.";
316327

317-
const databaseId = params.database_id.replace(/-/g, "");
328+
const parsedDatabaseId = parseNotionId(params.database_id, "database_id");
329+
if (parsedDatabaseId.error) return parsedDatabaseId.error;
330+
const databaseId = parsedDatabaseId.value;
318331

319332
const db = await notionRequest(`/databases/${databaseId}`);
320333

0 commit comments

Comments
 (0)