-
Notifications
You must be signed in to change notification settings - Fork 11.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/develop' into chore/api-client
- Loading branch information
Showing
44 changed files
with
703 additions
and
313 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
import { Meteor } from 'meteor/meteor'; | ||
import { EJSON } from 'meteor/ejson'; | ||
|
||
import { hasPermission } from '../../../authorization/server'; | ||
import { isValidQuery } from '../lib/isValidQuery'; | ||
import { clean } from '../lib/cleanQuery'; | ||
import { API } from '../api'; | ||
|
||
const pathAllowConf = { | ||
'/api/v1/users.list': ['$or', '$regex', '$and'], | ||
'def': ['$or', '$and', '$regex'], | ||
}; | ||
|
||
API.helperMethods.set( | ||
'parseJsonQuery', | ||
function _parseJsonQuery(this: { | ||
request: { | ||
route: string; | ||
}; | ||
queryParams: { | ||
query?: string; | ||
sort?: string; | ||
fields?: string; | ||
}; | ||
logger: any; | ||
userId: string; | ||
queryFields: string[]; | ||
queryOperations: string[]; | ||
}) { | ||
let sort; | ||
if (this.queryParams.sort) { | ||
try { | ||
sort = JSON.parse(this.queryParams.sort); | ||
Object.entries(sort).forEach(([key, value]) => { | ||
if (value !== 1 && value !== -1) { | ||
throw new Meteor.Error('error-invalid-sort-parameter', `Invalid sort parameter: ${key}`, { | ||
helperMethod: 'parseJsonQuery', | ||
}); | ||
} | ||
}); | ||
} catch (e) { | ||
this.logger.warn(`Invalid sort parameter provided "${this.queryParams.sort}":`, e); | ||
throw new Meteor.Error('error-invalid-sort', `Invalid sort parameter provided: "${this.queryParams.sort}"`, { | ||
helperMethod: 'parseJsonQuery', | ||
}); | ||
} | ||
} | ||
|
||
let fields: Record<string, 0 | 1> | undefined; | ||
if (this.queryParams.fields) { | ||
try { | ||
fields = JSON.parse(this.queryParams.fields) as Record<string, 0 | 1>; | ||
|
||
Object.entries(fields).forEach(([key, value]) => { | ||
if (value !== 1 && value !== 0) { | ||
throw new Meteor.Error('error-invalid-sort-parameter', `Invalid fields parameter: ${key}`, { | ||
helperMethod: 'parseJsonQuery', | ||
}); | ||
} | ||
}); | ||
} catch (e) { | ||
this.logger.warn(`Invalid fields parameter provided "${this.queryParams.fields}":`, e); | ||
throw new Meteor.Error('error-invalid-fields', `Invalid fields parameter provided: "${this.queryParams.fields}"`, { | ||
helperMethod: 'parseJsonQuery', | ||
}); | ||
} | ||
} | ||
|
||
// Verify the user's selected fields only contains ones which their role allows | ||
if (typeof fields === 'object') { | ||
let nonSelectableFields = Object.keys(API.v1.defaultFieldsToExclude); | ||
if (this.request.route.includes('/v1/users.')) { | ||
const getFields = () => | ||
Object.keys( | ||
hasPermission(this.userId, 'view-full-other-user-info') | ||
? API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser | ||
: API.v1.limitedUserFieldsToExclude, | ||
); | ||
nonSelectableFields = nonSelectableFields.concat(getFields()); | ||
} | ||
|
||
Object.keys(fields).forEach((k) => { | ||
if (nonSelectableFields.includes(k) || nonSelectableFields.includes(k.split(API.v1.fieldSeparator)[0])) { | ||
fields && delete fields[k as keyof typeof fields]; | ||
} | ||
}); | ||
} | ||
|
||
// Limit the fields by default | ||
fields = Object.assign({}, fields, API.v1.defaultFieldsToExclude); | ||
if (this.request.route.includes('/v1/users.')) { | ||
if (hasPermission(this.userId, 'view-full-other-user-info')) { | ||
fields = Object.assign(fields, API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser); | ||
} else { | ||
fields = Object.assign(fields, API.v1.limitedUserFieldsToExclude); | ||
} | ||
} | ||
|
||
let query: Record<string, any> = {}; | ||
if (this.queryParams.query) { | ||
this.logger.warn('attribute query is deprecated'); | ||
try { | ||
query = EJSON.parse(this.queryParams.query); | ||
query = clean(query, pathAllowConf.def); | ||
} catch (e) { | ||
this.logger.warn(`Invalid query parameter provided "${this.queryParams.query}":`, e); | ||
throw new Meteor.Error('error-invalid-query', `Invalid query parameter provided: "${this.queryParams.query}"`, { | ||
helperMethod: 'parseJsonQuery', | ||
}); | ||
} | ||
} | ||
|
||
// Verify the user has permission to query the fields they are | ||
if (typeof query === 'object') { | ||
let nonQueryableFields = Object.keys(API.v1.defaultFieldsToExclude); | ||
|
||
if (this.request.route.includes('/v1/users.')) { | ||
if (hasPermission(this.userId, 'view-full-other-user-info')) { | ||
nonQueryableFields = nonQueryableFields.concat(Object.keys(API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser)); | ||
} else { | ||
nonQueryableFields = nonQueryableFields.concat(Object.keys(API.v1.limitedUserFieldsToExclude)); | ||
} | ||
} | ||
|
||
if (this.queryFields && !isValidQuery(query, this.queryFields || ['*'], this.queryOperations ?? pathAllowConf.def)) { | ||
throw new Meteor.Error('error-invalid-query', isValidQuery.errors.join('\n')); | ||
} | ||
|
||
Object.keys(query).forEach((k) => { | ||
if (nonQueryableFields.includes(k) || nonQueryableFields.includes(k.split(API.v1.fieldSeparator)[0])) { | ||
query && delete query[k]; | ||
} | ||
}); | ||
} | ||
|
||
return { | ||
sort, | ||
fields, | ||
query, | ||
}; | ||
}, | ||
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
import { removeDangerousProps } from './cleanQuery'; | ||
|
||
type Query = { [k: string]: any }; | ||
|
||
export const isValidQuery: { | ||
(query: Query, allowedAttributes: string[], allowedOperations: string[]): boolean; | ||
errors: string[]; | ||
} = Object.assign( | ||
(query: Query, allowedAttributes: string[], allowedOperations: string[]): boolean => { | ||
isValidQuery.errors = []; | ||
if (!(query instanceof Object)) { | ||
throw new Error('query must be an object'); | ||
} | ||
|
||
// eslint-disable-next-line @typescript-eslint/no-use-before-define | ||
return verifyQuery(query, allowedAttributes, allowedOperations); | ||
}, | ||
{ | ||
errors: [], | ||
}, | ||
); | ||
|
||
export const verifyQuery = (query: Query, allowedAttributes: string[], allowedOperations: string[], parent = ''): boolean => { | ||
return Object.entries(removeDangerousProps(query)).every(([key, value]) => { | ||
const path = parent ? `${parent}.${key}` : key; | ||
if (parent === '' && path.startsWith('$')) { | ||
if (!allowedOperations.includes(path)) { | ||
isValidQuery.errors.push(`Invalid operation: ${path}`); | ||
return false; | ||
} | ||
if (!Array.isArray(value)) { | ||
isValidQuery.errors.push(`Invalid parameter for operation: ${path} : ${value}`); | ||
return false; | ||
} | ||
return value.every((v) => verifyQuery(v, allowedAttributes, allowedOperations)); | ||
} | ||
|
||
if ( | ||
!allowedAttributes.some((allowedAttribute) => { | ||
if (allowedAttribute.endsWith('.*')) { | ||
return path.startsWith(allowedAttribute.replace('.*', '')); | ||
} | ||
if (allowedAttribute.endsWith('*') && !allowedAttribute.endsWith('.*')) { | ||
return true; | ||
} | ||
return path === allowedAttribute; | ||
}) | ||
) { | ||
isValidQuery.errors.push(`Invalid attribute: ${path}`); | ||
return false; | ||
} | ||
|
||
if (value instanceof Object) { | ||
return verifyQuery(value, allowedAttributes, allowedOperations, path); | ||
} | ||
return true; | ||
}); | ||
}; |
Oops, something went wrong.