From a79aec0fa364179bb9ea1c3910fa4472d34fb424 Mon Sep 17 00:00:00 2001 From: Kevin Aleman Date: Thu, 8 May 2025 09:31:36 -0600 Subject: [PATCH 1/2] change to api.path --- .../app/api/server/helpers/parseJsonQuery.ts | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts index 068e808751e52..6e2b4f8248c8a 100644 --- a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts +++ b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts @@ -24,15 +24,7 @@ export async function parseJsonQuery(api: PartialThis): Promise<{ */ query: Record; }> { - const { - userId, - queryParams: params, - logger, - queryFields, - queryOperations, - response, - request: { route }, - } = api; + const { userId, queryParams: params, logger, queryFields, queryOperations, response, path } = api; let sort; if (params.sort) { @@ -53,7 +45,7 @@ export async function parseJsonQuery(api: PartialThis): Promise<{ } } - const isUnsafeQueryParamsAllowed = process.env.ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS?.toUpperCase() === 'TRUE'; + const isUnsafeQueryParamsAllowed = true; const messageGenerator = ({ endpoint, version, parameter }: { endpoint: string; version: string; parameter: string }): string => `The usage of the "${parameter}" parameter in endpoint "${endpoint}" breaks the security of the API and can lead to data exposure. It has been deprecated and will be removed in the version ${version}.`; @@ -80,7 +72,7 @@ export async function parseJsonQuery(api: PartialThis): Promise<{ // Verify the user's selected fields only contains ones which their role allows if (typeof fields === 'object') { let nonSelectableFields = Object.keys(API.v1.defaultFieldsToExclude); - if (route.includes('/v1/users.')) { + if (path.includes('/v1/users.')) { nonSelectableFields = nonSelectableFields.concat( Object.keys( (await hasPermissionAsync(userId, 'view-full-other-user-info')) @@ -99,7 +91,7 @@ export async function parseJsonQuery(api: PartialThis): Promise<{ // Limit the fields by default fields = Object.assign({}, fields, API.v1.defaultFieldsToExclude); - if (api.path.includes('/v1/users.')) { + if (path.includes('/v1/users.')) { if (await hasPermissionAsync(userId, 'view-full-other-user-info')) { fields = Object.assign(fields, API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser); } else { From e7582ee9ae239713f16048f0d425661b5f44ca4c Mon Sep 17 00:00:00 2001 From: Kevin Aleman Date: Thu, 8 May 2025 09:34:06 -0600 Subject: [PATCH 2/2] im dum --- apps/meteor/app/api/server/helpers/parseJsonQuery.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts index 6e2b4f8248c8a..9879f1cb4f9bc 100644 --- a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts +++ b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts @@ -45,7 +45,7 @@ export async function parseJsonQuery(api: PartialThis): Promise<{ } } - const isUnsafeQueryParamsAllowed = true; + const isUnsafeQueryParamsAllowed = process.env.ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS?.toUpperCase() === 'TRUE'; const messageGenerator = ({ endpoint, version, parameter }: { endpoint: string; version: string; parameter: string }): string => `The usage of the "${parameter}" parameter in endpoint "${endpoint}" breaks the security of the API and can lead to data exposure. It has been deprecated and will be removed in the version ${version}.`;