fix(sap_s4hana): reject ?/# in service path; trim long update tool descriptions

waleedlatif1 · claude · waleedlatif1 · commit 04a3986c7326 · 2026-04-27T11:10:53.000-07:00
- ServicePath validator now rejects "?" and "#" so a caller can't smuggle
  query options through the path field (e.g.,
  "/A_BusinessPartner?$format=atomsvc"); the Zod refine now reports
  ".." / "." segments, "?", and "#" together.
- Update Customer / Update Supplier / Update Purchase Requisition tool
  descriptions exceeded the docs generator's 600-char regex window, so
  they were rendering with empty descriptions on the integrations
  landing page. Trimmed them to fit while keeping the limited-fields
  note and the If-Match guidance, then regenerated integrations.json
  and tool docs.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/docs/content/docs/en/tools/sap_s4hana.mdx b/apps/docs/content/docs/en/tools/sap_s4hana.mdx
@@ -239,7 +239,7 @@ Retrieve a single customer by Customer key from SAP S/4HANA Cloud (API_BUSINESS_
 
 ### `sap_s4hana_update_customer`
 
-Update fields on an A_Customer entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. Note: API_BUSINESS_PARTNER limits A_Customer PATCH to a small set of modifiable fields (e.g., OrderIsBlockedForCustomer, DeliveryIsBlock, BillingIsBlockedForCustomer, PostingIsBlocked, DeletionIndicator). Company-code attributes like PaymentBlockingReason live on A_CustomerCompany. Most descriptive customer attributes are read-only here and must be updated via the BusinessPartner entity. If-Match defaults to a wildcard (unconditional) — for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.
+Update fields on an A_Customer entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Customer PATCH is limited to modifiable fields such as OrderIsBlockedForCustomer, DeliveryIsBlock, BillingIsBlockedForCustomer, PostingIsBlocked, and DeletionIndicator. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.
 
 #### Input
 
@@ -329,7 +329,7 @@ Retrieve a single supplier by Supplier key from SAP S/4HANA Cloud (API_BUSINESS_
 
 ### `sap_s4hana_update_supplier`
 
-Update fields on an A_Supplier entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. Note: API_BUSINESS_PARTNER limits A_Supplier PATCH to a small set of modifiable fields (e.g., PostingIsBlocked, PurchasingIsBlocked, PaymentIsBlockedForSupplier, DeletionIndicator, SupplierAccountGroup). Company-code fields like PaymentBlockingReason live on A_SupplierCompany. Most descriptive supplier attributes are read-only here and must be updated via the BusinessPartner entity. If-Match defaults to a wildcard (unconditional) — for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.
+Update fields on an A_Supplier entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Supplier PATCH is limited to modifiable fields such as PostingIsBlocked, PurchasingIsBlocked, PaymentIsBlockedForSupplier, DeletionIndicator, and SupplierAccountGroup. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.
 
 #### Input
 
@@ -936,7 +936,7 @@ Create a purchase requisition in SAP S/4HANA Cloud (API_PURCHASEREQ_PROCESS_SRV,
 
 ### `sap_s4hana_update_purchase_requisition`
 
-Update fields on an A_PurchaseRequisitionHeader entity in SAP S/4HANA Cloud (API_PURCHASEREQ_PROCESS_SRV). PATCH only sends the fields you provide; existing values are preserved. If-Match defaults to a wildcard (unconditional) — for safe concurrent updates pass the ETag from a prior GET to avoid lost updates. Note: API_PURCHASEREQ_PROCESS_SRV is deprecated since S/4HANA Cloud Public Edition 2402; the successor is API_PURCHASEREQUISITION_2 (OData v4). This tool still works against tenants where the legacy service is enabled.
+Update fields on an A_PurchaseRequisitionHeader entity in SAP S/4HANA Cloud (API_PURCHASEREQ_PROCESS_SRV; deprecated since S/4HANA 2402, successor is API_PURCHASEREQUISITION_2 OData v4). PATCH only sends the fields you provide; existing values are preserved. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.
 
 #### Input
 
diff --git a/apps/sim/app/(landing)/integrations/data/integrations.json b/apps/sim/app/(landing)/integrations/data/integrations.json
@@ -11308,7 +11308,7 @@
       },
       {
         "name": "Update Customer",
-        "description": ""
+        "description": "Update fields on an A_Customer entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Customer PATCH is limited to modifiable fields such as OrderIsBlockedForCustomer, DeliveryIsBlock, BillingIsBlockedForCustomer, PostingIsBlocked, and DeletionIndicator. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates."
       },
       {
         "name": "List Suppliers",
@@ -11320,7 +11320,7 @@
       },
       {
         "name": "Update Supplier",
-        "description": ""
+        "description": "Update fields on an A_Supplier entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Supplier PATCH is limited to modifiable fields such as PostingIsBlocked, PurchasingIsBlocked, PaymentIsBlockedForSupplier, DeletionIndicator, and SupplierAccountGroup. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates."
       },
       {
         "name": "List Sales Orders",
@@ -11400,7 +11400,7 @@
       },
       {
         "name": "Update Purchase Requisition",
-        "description": ""
+        "description": "Update fields on an A_PurchaseRequisitionHeader entity in SAP S/4HANA Cloud (API_PURCHASEREQ_PROCESS_SRV; deprecated since S/4HANA 2402, successor is API_PURCHASEREQUISITION_2 OData v4). PATCH only sends the fields you provide; existing values are preserved. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates."
       },
       {
         "name": "List Purchase Orders",
diff --git a/apps/sim/app/api/tools/sap_s4hana/proxy/route.ts b/apps/sim/app/api/tools/sap_s4hana/proxy/route.ts
@@ -26,9 +26,15 @@ const ServiceName = z
 const ServicePath = z
   .string()
   .min(1, 'path is required')
-  .refine((p) => !p.split(/[/\\]/).some((seg) => seg === '..' || seg === '.'), {
-    message: 'path must not contain ".." or "." segments',
-  })
+  .refine(
+    (p) =>
+      !p.split(/[/\\]/).some((seg) => seg === '..' || seg === '.') &&
+      !p.includes('?') &&
+      !p.includes('#'),
+    {
+      message: 'path must not contain ".." or "." segments, "?", or "#"',
+    }
+  )
 
 const Subdomain = z
   .string()
diff --git a/apps/sim/tools/sap_s4hana/update_customer.ts b/apps/sim/tools/sap_s4hana/update_customer.ts
@@ -12,7 +12,7 @@ export const updateCustomerTool: ToolConfig<UpdateCustomerParams, SapProxyRespon
   id: 'sap_s4hana_update_customer',
   name: 'SAP S/4HANA Update Customer',
   description:
-    'Update fields on an A_Customer entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. Note: API_BUSINESS_PARTNER limits A_Customer PATCH to a small set of modifiable fields (e.g., OrderIsBlockedForCustomer, DeliveryIsBlock, BillingIsBlockedForCustomer, PostingIsBlocked, DeletionIndicator). Company-code attributes like PaymentBlockingReason live on A_CustomerCompany. Most descriptive customer attributes are read-only here and must be updated via the BusinessPartner entity. If-Match defaults to a wildcard (unconditional) — for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.',
+    'Update fields on an A_Customer entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Customer PATCH is limited to modifiable fields such as OrderIsBlockedForCustomer, DeliveryIsBlock, BillingIsBlockedForCustomer, PostingIsBlocked, and DeletionIndicator. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.',
   version: '1.0.0',
   params: {
     subdomain: {
diff --git a/apps/sim/tools/sap_s4hana/update_purchase_requisition.ts b/apps/sim/tools/sap_s4hana/update_purchase_requisition.ts
@@ -15,7 +15,7 @@ export const updatePurchaseRequisitionTool: ToolConfig<
   id: 'sap_s4hana_update_purchase_requisition',
   name: 'SAP S/4HANA Update Purchase Requisition',
   description:
-    'Update fields on an A_PurchaseRequisitionHeader entity in SAP S/4HANA Cloud (API_PURCHASEREQ_PROCESS_SRV). PATCH only sends the fields you provide; existing values are preserved. If-Match defaults to a wildcard (unconditional) — for safe concurrent updates pass the ETag from a prior GET to avoid lost updates. Note: API_PURCHASEREQ_PROCESS_SRV is deprecated since S/4HANA Cloud Public Edition 2402; the successor is API_PURCHASEREQUISITION_2 (OData v4). This tool still works against tenants where the legacy service is enabled.',
+    'Update fields on an A_PurchaseRequisitionHeader entity in SAP S/4HANA Cloud (API_PURCHASEREQ_PROCESS_SRV; deprecated since S/4HANA 2402, successor is API_PURCHASEREQUISITION_2 OData v4). PATCH only sends the fields you provide; existing values are preserved. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.',
   version: '1.0.0',
   params: {
     subdomain: {
diff --git a/apps/sim/tools/sap_s4hana/update_supplier.ts b/apps/sim/tools/sap_s4hana/update_supplier.ts
@@ -12,7 +12,7 @@ export const updateSupplierTool: ToolConfig<UpdateSupplierParams, SapProxyRespon
   id: 'sap_s4hana_update_supplier',
   name: 'SAP S/4HANA Update Supplier',
   description:
-    'Update fields on an A_Supplier entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. Note: API_BUSINESS_PARTNER limits A_Supplier PATCH to a small set of modifiable fields (e.g., PostingIsBlocked, PurchasingIsBlocked, PaymentIsBlockedForSupplier, DeletionIndicator, SupplierAccountGroup). Company-code fields like PaymentBlockingReason live on A_SupplierCompany. Most descriptive supplier attributes are read-only here and must be updated via the BusinessPartner entity. If-Match defaults to a wildcard (unconditional) — for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.',
+    'Update fields on an A_Supplier entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Supplier PATCH is limited to modifiable fields such as PostingIsBlocked, PurchasingIsBlocked, PaymentIsBlockedForSupplier, DeletionIndicator, and SupplierAccountGroup. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates.',
   version: '1.0.0',
   params: {
     subdomain: {

Original file line number	Diff line number	Diff line change
`@@ -11308,7 +11308,7 @@`
`11308`	`11308`	`},`
`11309`	`11309`	`{`
`11310`	`11310`	`"name": "Update Customer",`
`11311`		`- "description": ""`
	`11311`	`+ "description": "Update fields on an A_Customer entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Customer PATCH is limited to modifiable fields such as OrderIsBlockedForCustomer, DeliveryIsBlock, BillingIsBlockedForCustomer, PostingIsBlocked, and DeletionIndicator. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates."`
`11312`	`11312`	`},`
`11313`	`11313`	`{`
`11314`	`11314`	`"name": "List Suppliers",`
`@@ -11320,7 +11320,7 @@`
`11320`	`11320`	`},`
`11321`	`11321`	`{`
`11322`	`11322`	`"name": "Update Supplier",`
`11323`		`- "description": ""`
	`11323`	`+ "description": "Update fields on an A_Supplier entity in SAP S/4HANA Cloud (API_BUSINESS_PARTNER). PATCH only sends the fields you provide; existing values are preserved. A_Supplier PATCH is limited to modifiable fields such as PostingIsBlocked, PurchasingIsBlocked, PaymentIsBlockedForSupplier, DeletionIndicator, and SupplierAccountGroup. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates."`
`11324`	`11324`	`},`
`11325`	`11325`	`{`
`11326`	`11326`	`"name": "List Sales Orders",`
`@@ -11400,7 +11400,7 @@`
`11400`	`11400`	`},`
`11401`	`11401`	`{`
`11402`	`11402`	`"name": "Update Purchase Requisition",`
`11403`		`- "description": ""`
	`11403`	`+ "description": "Update fields on an A_PurchaseRequisitionHeader entity in SAP S/4HANA Cloud (API_PURCHASEREQ_PROCESS_SRV; deprecated since S/4HANA 2402, successor is API_PURCHASEREQUISITION_2 OData v4). PATCH only sends the fields you provide; existing values are preserved. If-Match defaults to a wildcard - for safe concurrent updates pass the ETag from a prior GET to avoid lost updates."`
`11404`	`11404`	`},`
`11405`	`11405`	`{`
`11406`	`11406`	`"name": "List Purchase Orders",`