fix(monday): sanitize columns JSON in search_items GraphQL query

waleedlatif1 · claude · waleedlatif1 · commit dc7814b605e6 · 2026-04-16T19:37:29.000-07:00
Parse and re-stringify the columns param to ensure well-formed JSON
before interpolating into the GraphQL query, preventing injection
via malformed input.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/tools/monday/search_items.ts b/apps/sim/tools/monday/search_items.ts
@@ -60,7 +60,9 @@ export const mondaySearchItemsTool: ToolConfig<MondaySearchItemsParams, MondaySe
           }
         }
         const columnsJson =
-          typeof params.columns === 'string' ? params.columns : JSON.stringify(params.columns)
+          typeof params.columns === 'string'
+            ? JSON.stringify(JSON.parse(params.columns))
+            : JSON.stringify(params.columns)
         return {
           query: `query { items_page_by_column_values(limit: ${limit}, board_id: ${params.boardId}, columns: ${columnsJson}) { cursor items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } }`,
         }

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,9 @@ export const mondaySearchItemsTool: ToolConfig<MondaySearchItemsParams, MondaySe`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`	`const columnsJson =`
`63`		`- typeof params.columns === 'string' ? params.columns : JSON.stringify(params.columns)`
	`63`	`+ typeof params.columns === 'string'`
	`64`	`+ ? JSON.stringify(JSON.parse(params.columns))`
	`65`	`+ : JSON.stringify(params.columns)`
`64`	`66`	`return {`
`65`	`67`	query: `query { items_page_by_column_values(limit: ${limit}, board_id: ${params.boardId}, columns: ${columnsJson}) { cursor items { id name state board { id } group { id title } column_values { id text value type } created_at updated_at url } } }`,
`66`	`68`	`}`