Strip ASCII control characters from project identifiers

akabiru · akabiru · commit 1babb4ba10b4 · 2026-03-20T16:54:25.000+03:00
Add normalizes :identifier with RemoveAsciiControlCharacters to
strip characters like newlines, tabs, and backspaces that should
never appear in a project identifier.
diff --git a/app/models/projects/identifier.rb b/app/models/projects/identifier.rb
@@ -38,6 +38,8 @@ module Projects::Identifier
   included do
     extend FriendlyId
 
+    normalizes :identifier, with: OpenProject::RemoveAsciiControlCharacters
+
     acts_as_url :name,
                 url_attribute: :identifier,
                 sync_url: false, # Don't update identifier when name changes
diff --git a/spec/models/projects/identifier_spec.rb b/spec/models/projects/identifier_spec.rb
@@ -31,6 +31,12 @@
 require "spec_helper"
 
 RSpec.describe Projects::Identifier do
+  describe "identifier normalization" do
+    subject { Project.new }
+
+    it { is_expected.to normalize(:identifier).from("my\n\x00project\t").to("myproject") }
+  end
+
   describe "url identifier" do
     let(:reserved) do
       Rails.application.routes.routes
