fix(quickbooks): address PR review (stable account ID, where sanitization, send body, query description)

waleedlatif1 · waleedlatif1 · commit 425616e7e6fc · 2026-05-05T12:31:32.000-07:00
diff --git a/apps/docs/content/docs/en/tools/quickbooks.mdx b/apps/docs/content/docs/en/tools/quickbooks.mdx
@@ -615,7 +615,7 @@ List vendors from QuickBooks Online
 
 ### `quickbooks_query`
 
-Run a QuickBooks Online query (SQL-like syntax, e.g., 
+Run a QuickBooks Online query using SQL-like syntax (example: SELECT * FROM Item WHERE Active = true)
 
 #### Input
 
diff --git a/apps/sim/app/(landing)/integrations/data/integrations.json b/apps/sim/app/(landing)/integrations/data/integrations.json
@@ -10390,7 +10390,7 @@
       },
       {
         "name": "Run Query",
-        "description": "Run a QuickBooks Online query (SQL-like syntax, e.g., "
+        "description": "Run a QuickBooks Online query using SQL-like syntax (example: SELECT * FROM Item WHERE Active = true)"
       }
     ],
     "operationCount": 22,
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -1812,7 +1812,7 @@ export const auth = betterAuth({
                 return null
               }
               return {
-                id: `quickbooks-${realmId}-${generateId()}`,
+                id: `quickbooks-${realmId}`,
                 name: `QuickBooks Company ${realmId}`,
                 email: `quickbooks-${realmId}@quickbooks.local`,
                 emailVerified: true,
diff --git a/apps/sim/tools/quickbooks/list_accounts.ts b/apps/sim/tools/quickbooks/list_accounts.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksAccountListResponse, QuickBooksListParams } from '@/tools/quickbooks/types'
 import { ACCOUNT_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListAccounts')
@@ -54,7 +58,8 @@ export const quickbooksListAccountsTool: ToolConfig<
     url: (params) => {
       const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
       const start = Math.max(Number(params.startPosition) || 1, 1)
-      const whereClause = params.where ? ` WHERE ${params.where}` : ''
+      const safeWhere = sanitizeWhereClause(params.where)
+      const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
       const sql = `SELECT * FROM Account${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
       const url = buildCompanyUrl(params.realmId, '/query')
       return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/list_bills.ts b/apps/sim/tools/quickbooks/list_bills.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksBillListResponse, QuickBooksListParams } from '@/tools/quickbooks/types'
 import { BILL_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListBills')
@@ -52,7 +56,8 @@ export const quickbooksListBillsTool: ToolConfig<QuickBooksListParams, QuickBook
       url: (params) => {
         const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
         const start = Math.max(Number(params.startPosition) || 1, 1)
-        const whereClause = params.where ? ` WHERE ${params.where}` : ''
+        const safeWhere = sanitizeWhereClause(params.where)
+        const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
         const sql = `SELECT * FROM Bill${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
         const url = buildCompanyUrl(params.realmId, '/query')
         return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/list_customers.ts b/apps/sim/tools/quickbooks/list_customers.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksCustomerListResponse, QuickBooksListParams } from '@/tools/quickbooks/types'
 import { CUSTOMER_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListCustomers')
@@ -54,7 +58,8 @@ export const quickbooksListCustomersTool: ToolConfig<
     url: (params) => {
       const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
       const start = Math.max(Number(params.startPosition) || 1, 1)
-      const whereClause = params.where ? ` WHERE ${params.where}` : ''
+      const safeWhere = sanitizeWhereClause(params.where)
+      const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
       const sql = `SELECT * FROM Customer${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
       const url = buildCompanyUrl(params.realmId, '/query')
       return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/list_estimates.ts b/apps/sim/tools/quickbooks/list_estimates.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksEstimateListResponse, QuickBooksListParams } from '@/tools/quickbooks/types'
 import { ESTIMATE_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListEstimates')
@@ -54,7 +58,8 @@ export const quickbooksListEstimatesTool: ToolConfig<
     url: (params) => {
       const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
       const start = Math.max(Number(params.startPosition) || 1, 1)
-      const whereClause = params.where ? ` WHERE ${params.where}` : ''
+      const safeWhere = sanitizeWhereClause(params.where)
+      const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
       const sql = `SELECT * FROM Estimate${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
       const url = buildCompanyUrl(params.realmId, '/query')
       return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/list_invoices.ts b/apps/sim/tools/quickbooks/list_invoices.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksInvoiceListResponse, QuickBooksListParams } from '@/tools/quickbooks/types'
 import { INVOICE_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListInvoices')
@@ -54,7 +58,8 @@ export const quickbooksListInvoicesTool: ToolConfig<
     url: (params) => {
       const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
       const start = Math.max(Number(params.startPosition) || 1, 1)
-      const whereClause = params.where ? ` WHERE ${params.where}` : ''
+      const safeWhere = sanitizeWhereClause(params.where)
+      const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
       const sql = `SELECT * FROM Invoice${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
       const url = buildCompanyUrl(params.realmId, '/query')
       return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/list_items.ts b/apps/sim/tools/quickbooks/list_items.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksItemListResponse, QuickBooksListParams } from '@/tools/quickbooks/types'
 import { ITEM_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListItems')
@@ -52,7 +56,8 @@ export const quickbooksListItemsTool: ToolConfig<QuickBooksListParams, QuickBook
       url: (params) => {
         const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
         const start = Math.max(Number(params.startPosition) || 1, 1)
-        const whereClause = params.where ? ` WHERE ${params.where}` : ''
+        const safeWhere = sanitizeWhereClause(params.where)
+        const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
         const sql = `SELECT * FROM Item${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
         const url = buildCompanyUrl(params.realmId, '/query')
         return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/list_payments.ts b/apps/sim/tools/quickbooks/list_payments.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksListParams, QuickBooksPaymentListResponse } from '@/tools/quickbooks/types'
 import { PAYMENT_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListPayments')
@@ -54,7 +58,8 @@ export const quickbooksListPaymentsTool: ToolConfig<
     url: (params) => {
       const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
       const start = Math.max(Number(params.startPosition) || 1, 1)
-      const whereClause = params.where ? ` WHERE ${params.where}` : ''
+      const safeWhere = sanitizeWhereClause(params.where)
+      const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
       const sql = `SELECT * FROM Payment${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
       const url = buildCompanyUrl(params.realmId, '/query')
       return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/list_vendors.ts b/apps/sim/tools/quickbooks/list_vendors.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { QuickBooksListParams, QuickBooksVendorListResponse } from '@/tools/quickbooks/types'
 import { VENDOR_OUTPUT } from '@/tools/quickbooks/types'
-import { buildCompanyUrl, quickbooksAuthHeaders } from '@/tools/quickbooks/utils'
+import {
+  buildCompanyUrl,
+  quickbooksAuthHeaders,
+  sanitizeWhereClause,
+} from '@/tools/quickbooks/utils'
 import type { ToolConfig } from '@/tools/types'
 
 const logger = createLogger('QuickBooksListVendors')
@@ -54,7 +58,8 @@ export const quickbooksListVendorsTool: ToolConfig<
     url: (params) => {
       const max = Math.min(Math.max(Number(params.maxResults) || 100, 1), 1000)
       const start = Math.max(Number(params.startPosition) || 1, 1)
-      const whereClause = params.where ? ` WHERE ${params.where}` : ''
+      const safeWhere = sanitizeWhereClause(params.where)
+      const whereClause = safeWhere ? ` WHERE ${safeWhere}` : ''
       const sql = `SELECT * FROM Vendor${whereClause} STARTPOSITION ${start} MAXRESULTS ${max}`
       const url = buildCompanyUrl(params.realmId, '/query')
       return `${url}?query=${encodeURIComponent(sql)}&minorversion=73`
diff --git a/apps/sim/tools/quickbooks/query.ts b/apps/sim/tools/quickbooks/query.ts
@@ -9,7 +9,7 @@ export const quickbooksQueryTool: ToolConfig<QuickBooksQueryParams, QuickBooksQu
   id: 'quickbooks_query',
   name: 'QuickBooks Query',
   description:
-    'Run a QuickBooks Online query (SQL-like syntax, e.g., "SELECT * FROM Item WHERE Active = true")',
+    'Run a QuickBooks Online query using SQL-like syntax (example: SELECT * FROM Item WHERE Active = true)',
   version: '1.0.0',
 
   oauth: { required: true, provider: 'quickbooks' },
diff --git a/apps/sim/tools/quickbooks/send_invoice.ts b/apps/sim/tools/quickbooks/send_invoice.ts
@@ -58,7 +58,6 @@ export const quickbooksSendInvoiceTool: ToolConfig<
       ...quickbooksAuthHeaders(params.accessToken),
       'Content-Type': 'application/octet-stream',
     }),
-    body: () => ({}),
   },
 
   transformResponse: async (response) => {
diff --git a/apps/sim/tools/quickbooks/utils.ts b/apps/sim/tools/quickbooks/utils.ts
@@ -20,6 +20,27 @@ export function buildCompanyUrl(realmId: string | undefined, path: string): stri
   return `${base}/v3/company/${realmId}${trimmed}`
 }
 
+/**
+ * Reject `where` clause values that contain QQL keywords other than predicates.
+ * Prevents callers (or LLMs) from escaping the per-tool entity scope by
+ * appending `MAXRESULTS`, `STARTPOSITION`, `ORDERBY`, additional `SELECT`
+ * statements, etc.
+ */
+const FORBIDDEN_WHERE_KEYWORDS =
+  /\b(MAXRESULTS|STARTPOSITION|ORDER\s*BY|SELECT|FROM|GROUP\s*BY|HAVING)\b/i
+
+export function sanitizeWhereClause(where: string | undefined): string | undefined {
+  if (!where) return undefined
+  const trimmed = where.trim()
+  if (!trimmed) return undefined
+  if (FORBIDDEN_WHERE_KEYWORDS.test(trimmed)) {
+    throw new Error(
+      'where clause may only contain predicate expressions — keywords like MAXRESULTS, STARTPOSITION, ORDER BY, SELECT, and FROM are not allowed'
+    )
+  }
+  return trimmed
+}
+
 export function quickbooksAuthHeaders(accessToken: string | undefined): Record<string, string> {
   if (!accessToken) {
     throw new Error('Missing QuickBooks access token')

Original file line number	Diff line number	Diff line change
`@@ -10390,7 +10390,7 @@`
`10390`	`10390`	`},`
`10391`	`10391`	`{`
`10392`	`10392`	`"name": "Run Query",`
`10393`		`- "description": "Run a QuickBooks Online query (SQL-like syntax, e.g., "`
	`10393`	`+ "description": "Run a QuickBooks Online query using SQL-like syntax (example: SELECT * FROM Item WHERE Active = true)"`
`10394`	`10394`	`}`
`10395`	`10395`	`],`
`10396`	`10396`	`"operationCount": 22,`
Original file line number	Diff line number	Diff line change
`@@ -1812,7 +1812,7 @@ export const auth = betterAuth({`
`1812`	`1812`	`return null`
`1813`	`1813`	`}`
`1814`	`1814`	`return {`
`1815`		- id: `quickbooks-${realmId}-${generateId()}`,
	`1815`	+ id: `quickbooks-${realmId}`,
`1816`	`1816`	name: `QuickBooks Company ${realmId}`,
`1817`	`1817`	email: `quickbooks-${realmId}@quickbooks.local`,
`1818`	`1818`	`emailVerified: true,`