Merge pull request #13289 from Budibase/fix/13288

Fix for query inputs allowing handlebars
This commit is contained in:
Michael Drury 2024-03-19 14:59:51 +00:00 committed by GitHub
commit 3ec1f6b0e7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 35 additions and 7 deletions

View File

@ -14,22 +14,35 @@ import {
SessionCookie,
JsonFieldSubType,
QueryResponse,
QueryPreview,
QuerySchema,
FieldType,
ExecuteQueryRequest,
ExecuteQueryResponse,
Row,
QueryParameter,
PreviewQueryRequest,
PreviewQueryResponse,
} from "@budibase/types"
import { ValidQueryNameRegex, utils as JsonUtils } from "@budibase/shared-core"
import { findHBSBlocks } from "@budibase/string-templates"
const Runner = new Thread(ThreadType.QUERY, {
timeoutMs: env.QUERY_THREAD_TIMEOUT,
})
function validateQueryInputs(parameters: Record<string, string>) {
for (let entry of Object.entries(parameters)) {
const [key, value] = entry
if (typeof value !== "string") {
continue
}
if (findHBSBlocks(value).length !== 0) {
throw new Error(
`Parameter '${key}' input contains a handlebars binding - this is not allowed.`
)
}
}
}
export async function fetch(ctx: UserCtx) {
ctx.body = await sdk.queries.fetch()
}
@ -123,10 +136,10 @@ function getAuthConfig(ctx: UserCtx) {
function enrichParameters(
queryParameters: QueryParameter[],
requestParameters: { [key: string]: string } = {}
): {
[key: string]: string
} {
requestParameters: Record<string, string> = {}
): Record<string, string> {
// first check parameters are all valid
validateQueryInputs(requestParameters)
// make sure parameters are fully enriched with defaults
for (let parameter of queryParameters) {
if (!requestParameters[parameter.name]) {

View File

@ -408,6 +408,21 @@ describe("/queries", () => {
},
})
})
it("shouldn't allow handlebars to be passed as parameters", async () => {
const res = await request
.post(`/api/queries/${query._id}`)
.send({
parameters: {
a: "{{ 'test' }}",
},
})
.set(config.defaultHeaders())
.expect(400)
expect(res.body.message).toEqual(
"Parameter 'a' input contains a handlebars binding - this is not allowed."
)
})
})
describe("variables", () => {

View File

@ -11,7 +11,7 @@ export interface PreviewQueryResponse {
}
export interface ExecuteQueryRequest {
parameters?: { [key: string]: string }
parameters?: Record<string, string>
pagination?: any
}