fix: enforce strict APIFY_ID_REGEX validation with anchors#640
Merged
Conversation
The regex was loosened as a temporary workaround to keep an 18-char legacy user (yZtyxMUADJHyInTIdl) flagged as forbidden via isForbiddenUsername. That user has since been deleted, so the anchors can be restored. Strict regex prevents arbitrary strings containing a 17-char alphanumeric substring from being incorrectly treated as Apify IDs. Added tests for the anchored behaviour: 18+ char alphanumeric strings, strings with valid 17-char IDs embedded in larger strings, and the empty string are now explicitly rejected.
APIFY_ID_REGEX validation with anchors
APIFY_ID_REGEX validation with anchorsAPIFY_ID_REGEX validation with anchors
fnesveda
approved these changes
May 22, 2026
mtrunkat
approved these changes
May 22, 2026
B4nan
approved these changes
May 22, 2026
jancurn
pushed a commit
that referenced
this pull request
May 22, 2026
After #640 the constant is anchored at the source, so the mongo-check example no longer needs to explain why we deviate from it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Restores
APIFY_ID_REGEXto the anchored form/^[a-zA-Z0-9]{17}$/(resolving the long-standing TODO) and adds test coverage for inputs that only the anchored regex rejects: 18+ char strings, embedded 17-char matches, and the empty string.https://claude.ai/code/session_01Eay2aTeQ79xWdQguqE6n27
Seems we forgot to properly fix this old ducktape. I asked Claude to research uses of
APIFY_ID_REGEXin apify-core and it says it's safe. User yZtyxMUADJHyInTIdl is completely deleted, and there are no others with incorrect ID in the database.There are a few other places where this constant is used, but it looks safe: https://github.com/search?q=org%3Aapify+%22APIFY_ID_REGEX%22&type=code