From cfb719e321a8fce090e65941e4710b95442e6881 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Ovejero?= <ivov.src@gmail.com>
Date: Thu, 15 Aug 2024 10:00:22 +0200
Subject: [PATCH 1/3] refactor(core): Improve XSS validator

---
 packages/cli/package.json                     |  1 +
 packages/cli/src/GenericHelpers.ts            |  2 +-
 packages/cli/src/databases/entities/User.ts   |  2 +-
 .../utils/__tests__/customValidators.test.ts  | 43 ------------
 .../utils/__tests__/no-xss.validator.test.ts  | 70 +++++++++++++++++++
 .../src/databases/utils/customValidators.ts   | 18 -----
 .../src/databases/utils/no-xss.validator.ts   | 32 +++++++++
 packages/cli/src/requests.ts                  |  2 +-
 pnpm-lock.yaml                                | 21 +++---
 9 files changed, 118 insertions(+), 73 deletions(-)
 delete mode 100644 packages/cli/src/databases/utils/__tests__/customValidators.test.ts
 create mode 100644 packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts
 delete mode 100644 packages/cli/src/databases/utils/customValidators.ts
 create mode 100644 packages/cli/src/databases/utils/no-xss.validator.ts

diff --git a/packages/cli/package.json b/packages/cli/package.json
index 8387f0ba41521..f12118ea91a9e 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -155,6 +155,7 @@
     "reflect-metadata": "0.2.2",
     "replacestream": "4.0.3",
     "samlify": "2.8.9",
+    "sanitize-html": "2.12.1",
     "semver": "7.5.4",
     "shelljs": "0.8.5",
     "simple-git": "3.17.0",
diff --git a/packages/cli/src/GenericHelpers.ts b/packages/cli/src/GenericHelpers.ts
index 300f24f9f9355..00ecf3e0eb6b8 100644
--- a/packages/cli/src/GenericHelpers.ts
+++ b/packages/cli/src/GenericHelpers.ts
@@ -9,7 +9,7 @@ import type {
 	UserUpdatePayload,
 } from '@/requests';
 import { BadRequestError } from './errors/response-errors/bad-request.error';
-import { NoXss } from './databases/utils/customValidators';
+import { NoXss } from '@/databases/utils/no-xss.validator';
 
 export async function validateEntity(
 	entity:
diff --git a/packages/cli/src/databases/entities/User.ts b/packages/cli/src/databases/entities/User.ts
index d24af19742e6a..a27afb60efba4 100644
--- a/packages/cli/src/databases/entities/User.ts
+++ b/packages/cli/src/databases/entities/User.ts
@@ -13,7 +13,7 @@ import { IsEmail, IsString, Length } from 'class-validator';
 import type { IUser, IUserSettings } from 'n8n-workflow';
 import type { SharedWorkflow } from './SharedWorkflow';
 import type { SharedCredentials } from './SharedCredentials';
-import { NoXss } from '../utils/customValidators';
+import { NoXss } from '@db/utils/no-xss.validator';
 import { objectRetriever, lowerCaser } from '../utils/transformers';
 import { WithTimestamps, jsonColumnType } from './AbstractEntity';
 import type { IPersonalizationSurveyAnswers } from '@/Interfaces';
diff --git a/packages/cli/src/databases/utils/__tests__/customValidators.test.ts b/packages/cli/src/databases/utils/__tests__/customValidators.test.ts
deleted file mode 100644
index df906b36d6a52..0000000000000
--- a/packages/cli/src/databases/utils/__tests__/customValidators.test.ts
+++ /dev/null
@@ -1,43 +0,0 @@
-import { NoXss } from '@db/utils/customValidators';
-import { validate } from 'class-validator';
-
-describe('customValidators', () => {
-	describe('NoXss', () => {
-		class Person {
-			@NoXss()
-			name: string;
-		}
-		const person = new Person();
-
-		const invalidNames = ['http://google.com', '<script src/>', 'www.domain.tld'];
-
-		const validNames = [
-			'Johann Strauß',
-			'Вагиф Сәмәдоғлу',
-			'René Magritte',
-			'সুকুমার রায়',
-			'མགོན་པོ་རྡོ་རྗེ།',
-			'عبدالحليم حافظ',
-		];
-
-		describe('Block XSS', () => {
-			for (const name of invalidNames) {
-				test(name, async () => {
-					person.name = name;
-					const validationErrors = await validate(person);
-					expect(validationErrors[0].property).toEqual('name');
-					expect(validationErrors[0].constraints).toEqual({ NoXss: 'Malicious name' });
-				});
-			}
-		});
-
-		describe('Allow Valid names', () => {
-			for (const name of validNames) {
-				test(name, async () => {
-					person.name = name;
-					expect(await validate(person)).toBeEmptyArray();
-				});
-			}
-		});
-	});
-});
diff --git a/packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts b/packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts
new file mode 100644
index 0000000000000..ba8edcbbd4a7d
--- /dev/null
+++ b/packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts
@@ -0,0 +1,70 @@
+import { NoXss } from '../no-xss.validator';
+import { validate } from 'class-validator';
+
+describe('NoXss', () => {
+	class Entity {
+		@NoXss()
+		name = '';
+
+		@NoXss()
+		timestamp = '';
+
+		@NoXss()
+		version = '';
+	}
+
+	const entity = new Entity();
+
+	describe('Scripts and URLs', () => {
+		const MALICIOUS_STRINGS = ['http://google.com', '<script src/>', 'www.domain.tld'];
+
+		for (const str of MALICIOUS_STRINGS) {
+			test(`should block ${str}`, async () => {
+				entity.name = str;
+				const [error] = await validate(entity);
+				expect(error.property).toEqual('name');
+				expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' });
+			});
+		}
+	});
+
+	describe('Names', () => {
+		const VALID_NAMES = [
+			'Johann Strauß',
+			'Вагиф Сәмәдоғлу',
+			'René Magritte',
+			'সুকুমার রায়',
+			'མགོན་པོ་རྡོ་རྗེ།',
+			'عبدالحليم حافظ',
+		];
+
+		for (const name of VALID_NAMES) {
+			test(`should allow ${name}`, async () => {
+				entity.name = name;
+				expect(await validate(entity)).toBeEmptyArray();
+			});
+		}
+	});
+
+	describe('ISO-8601 timestamps', () => {
+		const VALID_TIMESTAMPS = ['2022-01-01T00:00:00.000Z', '2022-01-01T00:00:00.000+02:00'];
+
+		for (const timestamp of VALID_TIMESTAMPS) {
+			test(`should allow ${timestamp}`, async () => {
+				entity.timestamp = timestamp;
+				await expect(validate(entity)).resolves.toBeEmptyArray();
+			});
+		}
+	});
+
+	describe('Semver versions', () => {
+		const VALID_VERSIONS = ['1.0.0', '1.0.0-alpha.1'];
+
+		for (const version of VALID_VERSIONS) {
+			test(`should allow ${version}`, async () => {
+				entity.version = version;
+				await expect(validate(entity)).resolves.toBeEmptyArray();
+			});
+		}
+	});
+});
diff --git a/packages/cli/src/databases/utils/customValidators.ts b/packages/cli/src/databases/utils/customValidators.ts
deleted file mode 100644
index e98c507e9267f..0000000000000
--- a/packages/cli/src/databases/utils/customValidators.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import { registerDecorator } from 'class-validator';
-
-export function NoXss() {
-	return (object: object, propertyName: string): void => {
-		registerDecorator({
-			name: 'NoXss',
-			target: object.constructor,
-			propertyName,
-			constraints: [propertyName],
-			options: { message: `Malicious ${propertyName}` },
-			validator: {
-				validate(value: string) {
-					return !/(^http|^www)|<(\s*)?(script|a)|(\.[\p{L}\d-]+)/u.test(value);
-				},
-			},
-		});
-	};
-}
diff --git a/packages/cli/src/databases/utils/no-xss.validator.ts b/packages/cli/src/databases/utils/no-xss.validator.ts
new file mode 100644
index 0000000000000..ce71ebbc18144
--- /dev/null
+++ b/packages/cli/src/databases/utils/no-xss.validator.ts
@@ -0,0 +1,32 @@
+import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
+import { registerDecorator, ValidatorConstraint } from 'class-validator';
+import sanitizeHtml from 'sanitize-html';
+
+const URL_REGEX = /^(https?:\/\/|www\.)/i;
+
+@ValidatorConstraint({ name: 'NoXss', async: false })
+class NoXssConstraint implements ValidatorConstraintInterface {
+	validate(value: string) {
+		const sanitized = sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
+
+		if (sanitized !== value) return false;
+
+		return !URL_REGEX.test(value);
+	}
+
+	defaultMessage() {
+		return 'Potentially malicious string';
+	}
+}
+
+export function NoXss(options?: ValidationOptions) {
+	return function (object: object, propertyName: string) {
+		registerDecorator({
+			name: 'NoXss',
+			target: object.constructor,
+			propertyName,
+			options,
+			validator: NoXssConstraint,
+		});
+	};
+}
diff --git a/packages/cli/src/requests.ts b/packages/cli/src/requests.ts
index 436c0b1b18d94..6e541b7481f8b 100644
--- a/packages/cli/src/requests.ts
+++ b/packages/cli/src/requests.ts
@@ -13,7 +13,7 @@ import type {
 
 import { Expose } from 'class-transformer';
 import { IsBoolean, IsEmail, IsIn, IsOptional, IsString, Length } from 'class-validator';
-import { NoXss } from '@db/utils/customValidators';
+import { NoXss } from '@db/utils/no-xss.validator';
 import type { PublicUser, SecretsProvider, SecretsProviderState } from '@/Interfaces';
 import { AssignableRole } from '@db/entities/User';
 import type { GlobalRole, User } from '@db/entities/User';
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index e3b834bfa4025..03ae60c7c4698 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -824,6 +824,9 @@ importers:
       samlify:
         specifier: 2.8.9
         version: 2.8.9
+      sanitize-html:
+        specifier: 2.12.1
+        version: 2.12.1
       semver:
         specifier: ^7.5.4
         version: 7.6.0
@@ -21306,7 +21309,7 @@ snapshots:
 
   eslint-import-resolver-node@0.3.9:
     dependencies:
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
       is-core-module: 2.13.1
       resolve: 1.22.8
     transitivePeerDependencies:
@@ -21331,7 +21334,7 @@ snapshots:
 
   eslint-module-utils@2.8.0(@typescript-eslint/parser@7.2.0(eslint@8.57.0)(typescript@5.5.2))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.1(@typescript-eslint/parser@7.2.0(eslint@8.57.0)(typescript@5.5.2))(eslint-plugin-import@2.29.1)(eslint@8.57.0))(eslint@8.57.0):
     dependencies:
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
     optionalDependencies:
       '@typescript-eslint/parser': 7.2.0(eslint@8.57.0)(typescript@5.5.2)
       eslint: 8.57.0
@@ -21351,7 +21354,7 @@ snapshots:
       array.prototype.findlastindex: 1.2.3
       array.prototype.flat: 1.3.2
       array.prototype.flatmap: 1.3.2
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
       doctrine: 2.1.0
       eslint: 8.57.0
       eslint-import-resolver-node: 0.3.9
@@ -21884,7 +21887,7 @@ snapshots:
 
   follow-redirects@1.15.6(debug@3.2.7):
     optionalDependencies:
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
 
   follow-redirects@1.15.6(debug@4.3.4):
     optionalDependencies:
@@ -22229,7 +22232,7 @@ snapshots:
       array-parallel: 0.1.3
       array-series: 0.1.5
       cross-spawn: 4.0.2
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
     transitivePeerDependencies:
       - supports-color
 
@@ -22448,7 +22451,7 @@ snapshots:
       domelementtype: 2.3.0
       domhandler: 5.0.3
       domutils: 3.0.1
-      entities: 4.4.0
+      entities: 4.5.0
 
   http-cache-semantics@4.1.1:
     optional: true
@@ -24909,7 +24912,7 @@ snapshots:
 
   pdf-parse@1.1.1:
     dependencies:
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
       node-ensure: 0.0.0
     transitivePeerDependencies:
       - supports-color
@@ -25805,7 +25808,7 @@ snapshots:
 
   rhea@1.0.24:
     dependencies:
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
     transitivePeerDependencies:
       - supports-color
 
@@ -26179,7 +26182,7 @@ snapshots:
       binascii: 0.0.2
       bn.js: 5.2.1
       browser-request: 0.3.3
-      debug: 3.2.7(supports-color@5.5.0)
+      debug: 3.2.7(supports-color@8.1.1)
       expand-tilde: 2.0.2
       extend: 3.0.2
       fast-xml-parser: 4.2.7

From ba5645bf5beb41afbe201c9eaf5362014ba00d88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Ovejero?= <ivov.src@gmail.com>
Date: Fri, 16 Aug 2024 09:58:07 +0200
Subject: [PATCH 2/3] Extract URL validation from `NoXss` validator

---
 packages/cli/src/GenericHelpers.ts            |  2 +-
 packages/cli/src/databases/entities/User.ts   |  2 +-
 packages/cli/src/requests.ts                  |  2 +-
 .../__tests__/no-url.validator.test.ts        | 26 ++++++++++++++++++
 .../__tests__/no-xss.validator.test.ts        | 10 ++++---
 .../cli/src/validators/no-url.validator.ts    | 27 +++++++++++++++++++
 .../utils => validators}/no-xss.validator.ts  |  8 +-----
 7 files changed, 63 insertions(+), 14 deletions(-)
 create mode 100644 packages/cli/src/validators/__tests__/no-url.validator.test.ts
 rename packages/cli/src/{databases/utils => validators}/__tests__/no-xss.validator.test.ts (86%)
 create mode 100644 packages/cli/src/validators/no-url.validator.ts
 rename packages/cli/src/{databases/utils => validators}/no-xss.validator.ts (76%)

diff --git a/packages/cli/src/GenericHelpers.ts b/packages/cli/src/GenericHelpers.ts
index 00ecf3e0eb6b8..57dcb60207f73 100644
--- a/packages/cli/src/GenericHelpers.ts
+++ b/packages/cli/src/GenericHelpers.ts
@@ -9,7 +9,7 @@ import type {
 	UserUpdatePayload,
 } from '@/requests';
 import { BadRequestError } from './errors/response-errors/bad-request.error';
-import { NoXss } from '@/databases/utils/no-xss.validator';
+import { NoXss } from '@/validators/no-xss.validator';
 
 export async function validateEntity(
 	entity:
diff --git a/packages/cli/src/databases/entities/User.ts b/packages/cli/src/databases/entities/User.ts
index a27afb60efba4..d79328208ae87 100644
--- a/packages/cli/src/databases/entities/User.ts
+++ b/packages/cli/src/databases/entities/User.ts
@@ -13,7 +13,7 @@ import { IsEmail, IsString, Length } from 'class-validator';
 import type { IUser, IUserSettings } from 'n8n-workflow';
 import type { SharedWorkflow } from './SharedWorkflow';
 import type { SharedCredentials } from './SharedCredentials';
-import { NoXss } from '@db/utils/no-xss.validator';
+import { NoXss } from '@/validators/no-xss.validator';
 import { objectRetriever, lowerCaser } from '../utils/transformers';
 import { WithTimestamps, jsonColumnType } from './AbstractEntity';
 import type { IPersonalizationSurveyAnswers } from '@/Interfaces';
diff --git a/packages/cli/src/requests.ts b/packages/cli/src/requests.ts
index 5ef78d6dbf53f..8c28775a3aed7 100644
--- a/packages/cli/src/requests.ts
+++ b/packages/cli/src/requests.ts
@@ -13,7 +13,7 @@ import type {
 
 import { Expose } from 'class-transformer';
 import { IsBoolean, IsEmail, IsIn, IsOptional, IsString, Length } from 'class-validator';
-import { NoXss } from '@db/utils/no-xss.validator';
+import { NoXss } from '@/validators/no-xss.validator';
 import type { PublicUser, SecretsProvider, SecretsProviderState } from '@/Interfaces';
 import { AssignableRole } from '@db/entities/User';
 import type { GlobalRole, User } from '@db/entities/User';
diff --git a/packages/cli/src/validators/__tests__/no-url.validator.test.ts b/packages/cli/src/validators/__tests__/no-url.validator.test.ts
new file mode 100644
index 0000000000000..ead34019889e3
--- /dev/null
+++ b/packages/cli/src/validators/__tests__/no-url.validator.test.ts
@@ -0,0 +1,26 @@
+import { NoUrl } from '../no-url.validator';
+import { validate } from 'class-validator';
+
+describe('NoUrl', () => {
+	class Entity {
+		@NoUrl()
+		name = '';
+	}
+
+	const entity = new Entity();
+
+	describe('URLs', () => {
+		const URLS = ['http://google.com', 'www.domain.tld'];
+
+		for (const str of URLS) {
+			test(`should block ${str}`, async () => {
+				entity.name = str;
+				const errors = await validate(entity);
+				expect(errors).toHaveLength(1);
+				const [error] = errors;
+				expect(error.property).toEqual('name');
+				expect(error.constraints).toEqual({ NoUrl: 'Potentially malicious string' });
+			});
+		}
+	});
+});
diff --git a/packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts b/packages/cli/src/validators/__tests__/no-xss.validator.test.ts
similarity index 86%
rename from packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts
rename to packages/cli/src/validators/__tests__/no-xss.validator.test.ts
index ba8edcbbd4a7d..9972c4c0de802 100644
--- a/packages/cli/src/databases/utils/__tests__/no-xss.validator.test.ts
+++ b/packages/cli/src/validators/__tests__/no-xss.validator.test.ts
@@ -15,13 +15,15 @@ describe('NoXss', () => {
 
 	const entity = new Entity();
 
-	describe('Scripts and URLs', () => {
-		const MALICIOUS_STRINGS = ['http://google.com', '<script src/>', 'www.domain.tld'];
+	describe('Scripts', () => {
+		const XSS_STRINGS = ['<script src/>', "<script>alert('xss')</script>"];
 
-		for (const str of MALICIOUS_STRINGS) {
+		for (const str of XSS_STRINGS) {
 			test(`should block ${str}`, async () => {
 				entity.name = str;
-				const [error] = await validate(entity);
+				const errors = await validate(entity);
+				expect(errors).toHaveLength(1);
+				const [error] = errors;
 				expect(error.property).toEqual('name');
 				expect(error.constraints).toEqual({ NoXss: 'Potentially malicious string' });
 			});
diff --git a/packages/cli/src/validators/no-url.validator.ts b/packages/cli/src/validators/no-url.validator.ts
new file mode 100644
index 0000000000000..1df05fed5fa0d
--- /dev/null
+++ b/packages/cli/src/validators/no-url.validator.ts
@@ -0,0 +1,27 @@
+import type { ValidationOptions, ValidatorConstraintInterface } from 'class-validator';
+import { registerDecorator, ValidatorConstraint } from 'class-validator';
+
+const URL_REGEX = /^(https?:\/\/|www\.)/i;
+
+@ValidatorConstraint({ name: 'NoUrl', async: false })
+class NoUrlConstraint implements ValidatorConstraintInterface {
+	validate(value: string) {
+		return !URL_REGEX.test(value);
+	}
+
+	defaultMessage() {
+		return 'Potentially malicious string';
+	}
+}
+
+export function NoUrl(options?: ValidationOptions) {
+	return function (object: object, propertyName: string) {
+		registerDecorator({
+			name: 'NoUrl',
+			target: object.constructor,
+			propertyName,
+			options,
+			validator: NoUrlConstraint,
+		});
+	};
+}
diff --git a/packages/cli/src/databases/utils/no-xss.validator.ts b/packages/cli/src/validators/no-xss.validator.ts
similarity index 76%
rename from packages/cli/src/databases/utils/no-xss.validator.ts
rename to packages/cli/src/validators/no-xss.validator.ts
index ce71ebbc18144..8075309df9923 100644
--- a/packages/cli/src/databases/utils/no-xss.validator.ts
+++ b/packages/cli/src/validators/no-xss.validator.ts
@@ -2,16 +2,10 @@ import type { ValidationOptions, ValidatorConstraintInterface } from 'class-vali
 import { registerDecorator, ValidatorConstraint } from 'class-validator';
 import sanitizeHtml from 'sanitize-html';
 
-const URL_REGEX = /^(https?:\/\/|www\.)/i;
-
 @ValidatorConstraint({ name: 'NoXss', async: false })
 class NoXssConstraint implements ValidatorConstraintInterface {
 	validate(value: string) {
-		const sanitized = sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
-
-		if (sanitized !== value) return false;
-
-		return !URL_REGEX.test(value);
+		return value === sanitizeHtml(value, { allowedTags: [], allowedAttributes: {} });
 	}
 
 	defaultMessage() {

From 2b5bac0271f09507a30178aca952f5adefabc0c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Iv=C3=A1n=20Ovejero?= <ivov.src@gmail.com>
Date: Fri, 16 Aug 2024 10:01:03 +0200
Subject: [PATCH 3/3] Apply new decorator

---
 packages/cli/src/databases/entities/User.ts | 3 +++
 packages/cli/src/requests.ts                | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/packages/cli/src/databases/entities/User.ts b/packages/cli/src/databases/entities/User.ts
index d79328208ae87..dad8bbbe8000c 100644
--- a/packages/cli/src/databases/entities/User.ts
+++ b/packages/cli/src/databases/entities/User.ts
@@ -25,6 +25,7 @@ import {
 } from '@/permissions/global-roles';
 import { hasScope, type ScopeOptions, type Scope } from '@n8n/permissions';
 import type { ProjectRelation } from './ProjectRelation';
+import { NoUrl } from '@/validators/no-url.validator';
 
 export type GlobalRole = 'global:owner' | 'global:admin' | 'global:member';
 export type AssignableRole = Exclude<GlobalRole, 'global:owner'>;
@@ -51,12 +52,14 @@ export class User extends WithTimestamps implements IUser {
 
 	@Column({ length: 32, nullable: true })
 	@NoXss()
+	@NoUrl()
 	@IsString({ message: 'First name must be of type string.' })
 	@Length(1, 32, { message: 'First name must be $constraint1 to $constraint2 characters long.' })
 	firstName: string;
 
 	@Column({ length: 32, nullable: true })
 	@NoXss()
+	@NoUrl()
 	@IsString({ message: 'Last name must be of type string.' })
 	@Length(1, 32, { message: 'Last name must be $constraint1 to $constraint2 characters long.' })
 	lastName: string;
diff --git a/packages/cli/src/requests.ts b/packages/cli/src/requests.ts
index 8c28775a3aed7..a847281d7d760 100644
--- a/packages/cli/src/requests.ts
+++ b/packages/cli/src/requests.ts
@@ -26,6 +26,7 @@ import type { ProjectRole } from './databases/entities/ProjectRelation';
 import type { Scope } from '@n8n/permissions';
 import type { ScopesField } from './services/role.service';
 import type { AiAssistantSDK } from '@n8n_io/ai-assistant-sdk';
+import { NoUrl } from '@/validators/no-url.validator';
 
 export class UserUpdatePayload implements Pick<User, 'email' | 'firstName' | 'lastName'> {
 	@Expose()
@@ -34,12 +35,14 @@ export class UserUpdatePayload implements Pick<User, 'email' | 'firstName' | 'la
 
 	@Expose()
 	@NoXss()
+	@NoUrl()
 	@IsString({ message: 'First name must be of type string.' })
 	@Length(1, 32, { message: 'First name must be $constraint1 to $constraint2 characters long.' })
 	firstName: string;
 
 	@Expose()
 	@NoXss()
+	@NoUrl()
 	@IsString({ message: 'Last name must be of type string.' })
 	@Length(1, 32, { message: 'Last name must be $constraint1 to $constraint2 characters long.' })
 	lastName: string;