Merge pull request #13289 from Budibase/fix/13288
Fix for query inputs allowing handlebars
This commit is contained in:
commit
3ec1f6b0e7
|
@ -14,22 +14,35 @@ import {
|
|||
SessionCookie,
|
||||
JsonFieldSubType,
|
||||
QueryResponse,
|
||||
QueryPreview,
|
||||
QuerySchema,
|
||||
FieldType,
|
||||
ExecuteQueryRequest,
|
||||
ExecuteQueryResponse,
|
||||
Row,
|
||||
QueryParameter,
|
||||
PreviewQueryRequest,
|
||||
PreviewQueryResponse,
|
||||
} from "@budibase/types"
|
||||
import { ValidQueryNameRegex, utils as JsonUtils } from "@budibase/shared-core"
|
||||
import { findHBSBlocks } from "@budibase/string-templates"
|
||||
|
||||
const Runner = new Thread(ThreadType.QUERY, {
|
||||
timeoutMs: env.QUERY_THREAD_TIMEOUT,
|
||||
})
|
||||
|
||||
function validateQueryInputs(parameters: Record<string, string>) {
|
||||
for (let entry of Object.entries(parameters)) {
|
||||
const [key, value] = entry
|
||||
if (typeof value !== "string") {
|
||||
continue
|
||||
}
|
||||
if (findHBSBlocks(value).length !== 0) {
|
||||
throw new Error(
|
||||
`Parameter '${key}' input contains a handlebars binding - this is not allowed.`
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
export async function fetch(ctx: UserCtx) {
|
||||
ctx.body = await sdk.queries.fetch()
|
||||
}
|
||||
|
@ -123,10 +136,10 @@ function getAuthConfig(ctx: UserCtx) {
|
|||
|
||||
function enrichParameters(
|
||||
queryParameters: QueryParameter[],
|
||||
requestParameters: { [key: string]: string } = {}
|
||||
): {
|
||||
[key: string]: string
|
||||
} {
|
||||
requestParameters: Record<string, string> = {}
|
||||
): Record<string, string> {
|
||||
// first check parameters are all valid
|
||||
validateQueryInputs(requestParameters)
|
||||
// make sure parameters are fully enriched with defaults
|
||||
for (let parameter of queryParameters) {
|
||||
if (!requestParameters[parameter.name]) {
|
||||
|
|
|
@ -408,6 +408,21 @@ describe("/queries", () => {
|
|||
},
|
||||
})
|
||||
})
|
||||
|
||||
it("shouldn't allow handlebars to be passed as parameters", async () => {
|
||||
const res = await request
|
||||
.post(`/api/queries/${query._id}`)
|
||||
.send({
|
||||
parameters: {
|
||||
a: "{{ 'test' }}",
|
||||
},
|
||||
})
|
||||
.set(config.defaultHeaders())
|
||||
.expect(400)
|
||||
expect(res.body.message).toEqual(
|
||||
"Parameter 'a' input contains a handlebars binding - this is not allowed."
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe("variables", () => {
|
||||
|
|
|
@ -11,7 +11,7 @@ export interface PreviewQueryResponse {
|
|||
}
|
||||
|
||||
export interface ExecuteQueryRequest {
|
||||
parameters?: { [key: string]: string }
|
||||
parameters?: Record<string, string>
|
||||
pagination?: any
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue