fix: avoid possible sql injection in userrole query

baslu93 · Luca Bassani · commit d567bb3e603f · 2026-04-27T19:45:51.000+02:00
diff --git a/messages/create.md b/messages/create.md
@@ -82,6 +82,10 @@ This command works with only scratch orgs.
 
 This command doesn't work when authorizing an org using the JWT flow if the org is on Hyperforce.
 
+# error.invalidRoleDeveloperName
+
+Invalid roleDeveloperName: "%s". Must start with a letter and contain only alphanumeric characters or single underscores, with no double or final underscores.
+
 # error.jwtHyperforce.actions
 
 - Authorize your Dev Hub with either the `org login web` or `org login sfdx-url` command. You can then successfully use the `org create user` command on scratch orgs that you create with your Dev Hub.
diff --git a/src/commands/org/create/user.ts b/src/commands/org/create/user.ts
@@ -227,6 +227,9 @@ export class CreateUserCommand extends SfCommand<CreateUserOutput> {
     if (defaultFields['roleDeveloperName']) {
       // @ts-expect-error roleDeveloperName is not a valid field on UserFields
       const devName = defaultFields['roleDeveloperName'] as string;
+      if (!/^[a-z](?!.*__)(?!.*_$)\w*$/i.test(devName)) {
+        throw messages.createError('error.invalidRoleDeveloperName', [devName]);                                    
+      }  
       logger.debug(`Querying org for user role name [${devName}]`);
       const userRole = await this.flags['target-org']
         .getConnection(this.flags['api-version'])
diff --git a/test/commands/create.test.ts b/test/commands/create.test.ts
@@ -431,5 +431,19 @@ describe('org:create:user', () => {
         );
       }
     });
+    
+    it('will handle a failed `createUser` call with a InvalidRoleDeveloperName error', async () => {
+      await prepareStubs({}, true);
+      try {
+        await CreateUserCommand.run(['--json', '--target-org', testOrg.username,'roleDeveloperName=_Invalid_Role']);
+        expect.fail('should have thrown an error');
+      } catch (e) {
+        assert(e instanceof Error);
+        expect(e.name).to.equal('InvalidRoleDeveloperNameError');
+        expect(e.message).to.equal(
+          'Invalid roleDeveloperName: "_Invalid_Role". Must start with a letter and contain only alphanumeric characters or single underscores, with no double or final underscores.'
+        );
+      }
+    });
   });
 });
