Added validation for command triggers (#3068)

8 files changed, 70 insertions, 18 deletions

diff --git a/model/command.go b/model/command.go
index 4d5f7ace9..decb647b7 100644
--- a/model/command.go
+++ b/model/command.go
@@ -6,11 +6,14 @@ package model
 import (
 	"encoding/json"
 	"io"
+	"strings"
 )
 
 const (
 	COMMAND_METHOD_POST = "P"
 	COMMAND_METHOD_GET  = "G"
+	MIN_TRIGGER_LENGTH  = 1
+	MAX_TRIGGER_LENGTH  = 128
 )
 
 type Command struct {
@@ -99,7 +102,7 @@ func (o *Command) IsValid() *AppError {
 		return NewLocAppError("Command.IsValid", "model.command.is_valid.team_id.app_error", nil, "")
 	}
 
-	if len(o.Trigger) == 0 || len(o.Trigger) > 128 {
+	if len(o.Trigger) < MIN_TRIGGER_LENGTH || len(o.Trigger) > MAX_TRIGGER_LENGTH || strings.Index(o.Trigger, "/") == 0 || strings.Contains(o.Trigger, " ") {
 		return NewLocAppError("Command.IsValid", "model.command.is_valid.trigger.app_error", nil, "")
 	}
 
diff --git a/webapp/components/backstage/add_command.jsx b/webapp/components/backstage/add_command.jsx
index f3208bc5f..c817764aa 100644
--- a/webapp/components/backstage/add_command.jsx
+++ b/webapp/components/backstage/add_command.jsx
@@ -11,6 +11,7 @@ import {FormattedMessage} from 'react-intl';
 import FormError from 'components/form_error.jsx';
 import {browserHistory, Link} from 'react-router';
 import SpinnerButton from 'components/spinner_button.jsx';
+import Constants from 'utils/constants.jsx';
 
 const REQUEST_POST = 'P';
 const REQUEST_GET = 'G';
@@ -92,6 +93,51 @@ export default class AddCommand extends React.Component {
             return;
         }
 
+        if (command.trigger.indexOf('/') === 0) {
+            this.setState({
+                saving: false,
+                clientError: (
+                    <FormattedMessage
+                        id='add_command.triggerInvalidSlash'
+                        defaultMessage='A trigger word cannot begin with a /'
+                    />
+                )
+            });
+
+            return;
+        }
+
+        if (command.trigger.indexOf(' ') !== -1) {
+            this.setState({
+                saving: false,
+                clientError: (
+                    <FormattedMessage
+                        id='add_command.triggerInvalidSpace'
+                        defaultMessage='A trigger word must not contain spaces'
+                    />
+                )
+            });
+            return;
+        }
+
+        if (command.trigger.length < Constants.MIN_TRIGGER_LENGTH || command.trigger.length > Constants.MAX_TRIGGER_LENGTH) {
+            this.setState({
+                saving: false,
+                clientError: (
+                    <FormattedMessage
+                        id='add_command.triggerInvalidLength'
+                        defaultMessage='A trigger word must contain between {min} and {max} characters'
+                        values={{
+                            min: Constants.MIN_TRIGGER_LENGTH,
+                            max: Constants.MAX_TRIGGER_LENGTH
+                        }}
+                    />
+                )
+            });
+
+            return;
+        }
+
         if (!command.url) {
             this.setState({
                 saving: false,
@@ -323,7 +369,7 @@ export default class AddCommand extends React.Component {
                                 <input
                                     id='trigger'
                                     type='text'
-                                    maxLength='128'
+                                    maxLength={Constants.MAX_TRIGGER_LENGTH}
                                     className='form-control'
                                     value={this.state.trigger}
                                     onChange={this.updateTrigger}
diff --git a/webapp/i18n/en.json b/webapp/i18n/en.json
index bff8ab8aa..fcbfc7cbb 100644
--- a/webapp/i18n/en.json
+++ b/webapp/i18n/en.json
@@ -47,10 +47,13 @@
   "add_command.method.help": "The type of command request issued to the Request URL.",
   "add_command.method.post": "POST",
   "add_command.trigger": "Command Trigger Word",
-  "add_command.trigger.help1": "Examples: /patient, /client, /employee",
-  "add_command.trigger.help2": "Reserved: /echo, /join, /logout, /me, /shrug",
-  "add_command.trigger.placeholder": "Command trigger e.g. \"hello\" not including the slash",
+  "add_command.trigger.help1": "Examples: patient, client, employee",
+  "add_command.trigger.help2": "Reserved: echo, join, logout, me, shrug",
+  "add_command.trigger.placeholder": "Command trigger e.g. \"hello\"",
   "add_command.triggerRequired": "A trigger word is required",
+  "add_command.triggerInvalidSlash": "A trigger word cannot begin with a /",
+  "add_command.triggerInvalidSpace": "A trigger word must not contain spaces",
+  "add_command.triggerInvalidLength": "A trigger word must contain between {min} and {max} characters",
   "add_command.url": "Request URL",
   "add_command.url.help": "The callback URL to receive the HTTP POST or GET event request when the slash command is run.",
   "add_command.url.placeholder": "Must start with http:// or https://",
diff --git a/webapp/i18n/es.json b/webapp/i18n/es.json
index b6c45cbfa..0d41ae6a5 100644
--- a/webapp/i18n/es.json
+++ b/webapp/i18n/es.json
@@ -46,9 +46,9 @@
   "add_command.method.help": "El tipo de comando que se utiliza al hacer una solicitud al URL.",
   "add_command.method.post": "POST",
   "add_command.trigger": "Palabra Gatilladora del Comando",
-  "add_command.trigger.help1": "Ejemplos: /paciente, /cliente, /empleado",
-  "add_command.trigger.help2": "Reservadas: /echo, /join, /logout, /me, /shrug",
-  "add_command.trigger.placeholder": "Gatillador del Comando ej. \"hola\" no se debe incluir la barra",
+  "add_command.trigger.help1": "Ejemplos: paciente, cliente, empleado",
+  "add_command.trigger.help2": "Reservadas: echo, join, logout, me, shrug",
+  "add_command.trigger.placeholder": "Gatillador del Comando ej. \"hola\"",
   "add_command.triggerRequired": "Se requiere una palabra gatilladora",
   "add_command.url": "URL de Solicitud",
   "add_command.url.help": "El URL para recibir el evento de la solicitud HTTP POST o GET cuando se ejecuta el comando de barra.",
diff --git a/webapp/i18n/fr.json b/webapp/i18n/fr.json
index f46d339e4..b81efb4bf 100644
--- a/webapp/i18n/fr.json
+++ b/webapp/i18n/fr.json
@@ -46,10 +46,9 @@
   "add_command.method.help": "Le type de méthode de requête HTTP envoyé à cette URL.",
   "add_command.method.post": "POST",
   "add_command.trigger": "Mot-clé de déclenchement",
-  "add_command.trigger.help1": "Exemples: /patient, /client, /employé",
-  "add_command.trigger.help2": "Mots réservés : /echo, /join, /logout, /me, /shrug",
-  "add_command.trigger.placeholder": "Command trigger e.g. \"hello\" not including the slash",
-  "add_command.triggerRequired": "A trigger word is required",
+  "add_command.trigger.help1": "Exemples: patient, client, employé",
+  "add_command.trigger.help2": "Mots réservés : echo, join, logout, me, shrug",
+  "add_command.trigger.placeholder": "Command trigger e.g. \"hello\"",
   "add_command.url": "URL de requête",
   "add_command.url.help": "L'URL de callback qui recevra la requête POST ou GET quand cette commande slash est exécutée.",
   "add_command.url.placeholder": "Doit commencer par http:// ou https://",
diff --git a/webapp/i18n/ja.json b/webapp/i18n/ja.json
index ba1c8c901..821dec387 100644
--- a/webapp/i18n/ja.json
+++ b/webapp/i18n/ja.json
@@ -46,9 +46,8 @@
   "add_command.method.help": "リクエストURLに発行するコマンドリクエストの種類です。",
   "add_command.method.post": "POST",
   "add_command.trigger": "コマンドトリガーワード",
-  "add_command.trigger.help1": "例: /patient, /client, /employee",
-  "add_command.trigger.help2": "予約語: /echo, /join, /logout, /me, /shrug",
-  "add_command.trigger.placeholder": "コマンドトリガー 例: スラッシュコマンドに含まれていない\"hello\"",
+  "add_command.trigger.help1": "例: patient, client, employee",
+  "add_command.trigger.help2": "予約語: echo, join, logout, me, shrug",
   "add_command.triggerRequired": "トリガーワードが必要です。",
   "add_command.url": "リクエストURL",
   "add_command.url.help": "スラッシュコマンドを実行した時に、HTTP POSTまたはGETイベントリクエストを受信するコールバックURLです。",
diff --git a/webapp/i18n/pt.json b/webapp/i18n/pt.json
index abc2a927a..a18de4139 100644
--- a/webapp/i18n/pt.json
+++ b/webapp/i18n/pt.json
@@ -46,9 +46,9 @@
   "add_command.method.help": "O tipo de solicitação do comando emitido para a URL requisitada.",
   "add_command.method.post": "POST",
   "add_command.trigger": "Comando Palavra Gatilho",
-  "add_command.trigger.help1": "Exemplos: /paciente, /cliente, /funcionario",
-  "add_command.trigger.help2": "Reservados: /echo, /join, /logout, /me, /shrug",
-  "add_command.trigger.placeholder": "Comando de gatilho ex. \"hello\", não incluí a barra",
+  "add_command.trigger.help1": "Exemplos: paciente, cliente, funcionario",
+  "add_command.trigger.help2": "Reservados: echo, join, logout, me, shrug",
+  "add_command.trigger.placeholder": "Comando de gatilho ex. \"hello\"",
   "add_command.triggerRequired": "Uma palavra gatilho é necessária",
   "add_command.url": "URL da solicitação",
   "add_command.url.help": "A URL callback para receber o evento HTTP POST ou GET quando o comando slash for executado.",
diff --git a/webapp/utils/constants.jsx b/webapp/utils/constants.jsx
index be858c554..0bbb0c9c2 100644
--- a/webapp/utils/constants.jsx
+++ b/webapp/utils/constants.jsx
@@ -644,6 +644,8 @@ export default {
     MAX_USERNAME_LENGTH: 22,
     MIN_PASSWORD_LENGTH: 5,
     MAX_PASSWORD_LENGTH: 50,
+    MIN_TRIGGER_LENGTH: 1,
+    MAX_TRIGGER_LENGTH: 128,
     TIME_SINCE_UPDATE_INTERVAL: 30000,
     MIN_HASHTAG_LINK_LENGTH: 3,
     EMOJI_PATH: '/static/emoji',