Merge pull request #13289 from Budibase/fix/13288
Fix for query inputs allowing handlebars
This commit is contained in:
commit
3ec1f6b0e7
|
@ -14,22 +14,35 @@ import {
|
||||||
SessionCookie,
|
SessionCookie,
|
||||||
JsonFieldSubType,
|
JsonFieldSubType,
|
||||||
QueryResponse,
|
QueryResponse,
|
||||||
QueryPreview,
|
|
||||||
QuerySchema,
|
QuerySchema,
|
||||||
FieldType,
|
FieldType,
|
||||||
ExecuteQueryRequest,
|
ExecuteQueryRequest,
|
||||||
ExecuteQueryResponse,
|
ExecuteQueryResponse,
|
||||||
Row,
|
|
||||||
QueryParameter,
|
QueryParameter,
|
||||||
PreviewQueryRequest,
|
PreviewQueryRequest,
|
||||||
PreviewQueryResponse,
|
PreviewQueryResponse,
|
||||||
} from "@budibase/types"
|
} from "@budibase/types"
|
||||||
import { ValidQueryNameRegex, utils as JsonUtils } from "@budibase/shared-core"
|
import { ValidQueryNameRegex, utils as JsonUtils } from "@budibase/shared-core"
|
||||||
|
import { findHBSBlocks } from "@budibase/string-templates"
|
||||||
|
|
||||||
const Runner = new Thread(ThreadType.QUERY, {
|
const Runner = new Thread(ThreadType.QUERY, {
|
||||||
timeoutMs: env.QUERY_THREAD_TIMEOUT,
|
timeoutMs: env.QUERY_THREAD_TIMEOUT,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
function validateQueryInputs(parameters: Record<string, string>) {
|
||||||
|
for (let entry of Object.entries(parameters)) {
|
||||||
|
const [key, value] = entry
|
||||||
|
if (typeof value !== "string") {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if (findHBSBlocks(value).length !== 0) {
|
||||||
|
throw new Error(
|
||||||
|
`Parameter '${key}' input contains a handlebars binding - this is not allowed.`
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
export async function fetch(ctx: UserCtx) {
|
export async function fetch(ctx: UserCtx) {
|
||||||
ctx.body = await sdk.queries.fetch()
|
ctx.body = await sdk.queries.fetch()
|
||||||
}
|
}
|
||||||
|
@ -123,10 +136,10 @@ function getAuthConfig(ctx: UserCtx) {
|
||||||
|
|
||||||
function enrichParameters(
|
function enrichParameters(
|
||||||
queryParameters: QueryParameter[],
|
queryParameters: QueryParameter[],
|
||||||
requestParameters: { [key: string]: string } = {}
|
requestParameters: Record<string, string> = {}
|
||||||
): {
|
): Record<string, string> {
|
||||||
[key: string]: string
|
// first check parameters are all valid
|
||||||
} {
|
validateQueryInputs(requestParameters)
|
||||||
// make sure parameters are fully enriched with defaults
|
// make sure parameters are fully enriched with defaults
|
||||||
for (let parameter of queryParameters) {
|
for (let parameter of queryParameters) {
|
||||||
if (!requestParameters[parameter.name]) {
|
if (!requestParameters[parameter.name]) {
|
||||||
|
|
|
@ -408,6 +408,21 @@ describe("/queries", () => {
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it("shouldn't allow handlebars to be passed as parameters", async () => {
|
||||||
|
const res = await request
|
||||||
|
.post(`/api/queries/${query._id}`)
|
||||||
|
.send({
|
||||||
|
parameters: {
|
||||||
|
a: "{{ 'test' }}",
|
||||||
|
},
|
||||||
|
})
|
||||||
|
.set(config.defaultHeaders())
|
||||||
|
.expect(400)
|
||||||
|
expect(res.body.message).toEqual(
|
||||||
|
"Parameter 'a' input contains a handlebars binding - this is not allowed."
|
||||||
|
)
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
describe("variables", () => {
|
describe("variables", () => {
|
||||||
|
|
|
@ -11,7 +11,7 @@ export interface PreviewQueryResponse {
|
||||||
}
|
}
|
||||||
|
|
||||||
export interface ExecuteQueryRequest {
|
export interface ExecuteQueryRequest {
|
||||||
parameters?: { [key: string]: string }
|
parameters?: Record<string, string>
|
||||||
pagination?: any
|
pagination?: any
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue