Merge pull request #13289 from Budibase/fix/13288

Fix for query inputs allowing handlebars
This commit is contained in:
Michael Drury 2024-03-19 14:59:51 +00:00 committed by GitHub
commit 3ec1f6b0e7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 35 additions and 7 deletions

View File

@ -14,22 +14,35 @@ import {
SessionCookie, SessionCookie,
JsonFieldSubType, JsonFieldSubType,
QueryResponse, QueryResponse,
QueryPreview,
QuerySchema, QuerySchema,
FieldType, FieldType,
ExecuteQueryRequest, ExecuteQueryRequest,
ExecuteQueryResponse, ExecuteQueryResponse,
Row,
QueryParameter, QueryParameter,
PreviewQueryRequest, PreviewQueryRequest,
PreviewQueryResponse, PreviewQueryResponse,
} from "@budibase/types" } from "@budibase/types"
import { ValidQueryNameRegex, utils as JsonUtils } from "@budibase/shared-core" import { ValidQueryNameRegex, utils as JsonUtils } from "@budibase/shared-core"
import { findHBSBlocks } from "@budibase/string-templates"
const Runner = new Thread(ThreadType.QUERY, { const Runner = new Thread(ThreadType.QUERY, {
timeoutMs: env.QUERY_THREAD_TIMEOUT, timeoutMs: env.QUERY_THREAD_TIMEOUT,
}) })
function validateQueryInputs(parameters: Record<string, string>) {
for (let entry of Object.entries(parameters)) {
const [key, value] = entry
if (typeof value !== "string") {
continue
}
if (findHBSBlocks(value).length !== 0) {
throw new Error(
`Parameter '${key}' input contains a handlebars binding - this is not allowed.`
)
}
}
}
export async function fetch(ctx: UserCtx) { export async function fetch(ctx: UserCtx) {
ctx.body = await sdk.queries.fetch() ctx.body = await sdk.queries.fetch()
} }
@ -123,10 +136,10 @@ function getAuthConfig(ctx: UserCtx) {
function enrichParameters( function enrichParameters(
queryParameters: QueryParameter[], queryParameters: QueryParameter[],
requestParameters: { [key: string]: string } = {} requestParameters: Record<string, string> = {}
): { ): Record<string, string> {
[key: string]: string // first check parameters are all valid
} { validateQueryInputs(requestParameters)
// make sure parameters are fully enriched with defaults // make sure parameters are fully enriched with defaults
for (let parameter of queryParameters) { for (let parameter of queryParameters) {
if (!requestParameters[parameter.name]) { if (!requestParameters[parameter.name]) {

View File

@ -408,6 +408,21 @@ describe("/queries", () => {
}, },
}) })
}) })
it("shouldn't allow handlebars to be passed as parameters", async () => {
const res = await request
.post(`/api/queries/${query._id}`)
.send({
parameters: {
a: "{{ 'test' }}",
},
})
.set(config.defaultHeaders())
.expect(400)
expect(res.body.message).toEqual(
"Parameter 'a' input contains a handlebars binding - this is not allowed."
)
})
}) })
describe("variables", () => { describe("variables", () => {

View File

@ -11,7 +11,7 @@ export interface PreviewQueryResponse {
} }
export interface ExecuteQueryRequest { export interface ExecuteQueryRequest {
parameters?: { [key: string]: string } parameters?: Record<string, string>
pagination?: any pagination?: any
} }