Merge branch 'master' of github.com:budibase/budibase into sql-security

This commit is contained in:
Sam Rose 2024-10-24 11:04:16 +01:00
commit 4a42439647
No known key found for this signature in database
4 changed files with 128 additions and 44 deletions

View File

@ -29,6 +29,7 @@ describe.each(
const isOracle = dbName === DatabaseName.ORACLE const isOracle = dbName === DatabaseName.ORACLE
const isMsSQL = dbName === DatabaseName.SQL_SERVER const isMsSQL = dbName === DatabaseName.SQL_SERVER
const isPostgres = dbName === DatabaseName.POSTGRES const isPostgres = dbName === DatabaseName.POSTGRES
const mainTableName = "test_table"
let rawDatasource: Datasource let rawDatasource: Datasource
let datasource: Datasource let datasource: Datasource
@ -71,15 +72,15 @@ describe.each(
client = await knexClient(rawDatasource) client = await knexClient(rawDatasource)
await client.schema.dropTableIfExists("test_table") await client.schema.dropTableIfExists(mainTableName)
await client.schema.createTable("test_table", table => { await client.schema.createTable(mainTableName, table => {
table.increments("id").primary() table.increments("id").primary()
table.string("name") table.string("name")
table.timestamp("birthday") table.timestamp("birthday")
table.integer("number") table.integer("number")
}) })
await client("test_table").insert([ await client(mainTableName).insert([
{ name: "one" }, { name: "one" },
{ name: "two" }, { name: "two" },
{ name: "three" }, { name: "three" },
@ -105,7 +106,7 @@ describe.each(
const query = await createQuery({ const query = await createQuery({
name: "New Query", name: "New Query",
fields: { fields: {
sql: client("test_table").select("*").toString(), sql: client(mainTableName).select("*").toString(),
}, },
}) })
@ -114,7 +115,7 @@ describe.each(
name: "New Query", name: "New Query",
parameters: [], parameters: [],
fields: { fields: {
sql: client("test_table").select("*").toString(), sql: client(mainTableName).select("*").toString(),
}, },
schema: {}, schema: {},
queryVerb: "read", queryVerb: "read",
@ -133,7 +134,7 @@ describe.each(
it("should be able to update a query", async () => { it("should be able to update a query", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").select("*").toString(), sql: client(mainTableName).select("*").toString(),
}, },
}) })
@ -143,7 +144,7 @@ describe.each(
...query, ...query,
name: "Updated Query", name: "Updated Query",
fields: { fields: {
sql: client("test_table").where({ id: 1 }).toString(), sql: client(mainTableName).where({ id: 1 }).toString(),
}, },
}) })
@ -152,7 +153,7 @@ describe.each(
name: "Updated Query", name: "Updated Query",
parameters: [], parameters: [],
fields: { fields: {
sql: client("test_table").where({ id: 1 }).toString(), sql: client(mainTableName).where({ id: 1 }).toString(),
}, },
schema: {}, schema: {},
queryVerb: "read", queryVerb: "read",
@ -169,7 +170,7 @@ describe.each(
it("should be able to delete a query", async () => { it("should be able to delete a query", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").select("*").toString(), sql: client(mainTableName).select("*").toString(),
}, },
}) })
@ -188,7 +189,7 @@ describe.each(
it("should be able to list queries", async () => { it("should be able to list queries", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").select("*").toString(), sql: client(mainTableName).select("*").toString(),
}, },
}) })
@ -199,7 +200,7 @@ describe.each(
it("should strip sensitive fields for prod apps", async () => { it("should strip sensitive fields for prod apps", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").select("*").toString(), sql: client(mainTableName).select("*").toString(),
}, },
}) })
@ -217,7 +218,7 @@ describe.each(
const jsonStatement = `COALESCE(json_build_object('name', name),'{"name":{}}'::json)` const jsonStatement = `COALESCE(json_build_object('name', name),'{"name":{}}'::json)`
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.select([ .select([
"*", "*",
client.raw( client.raw(
@ -245,7 +246,7 @@ describe.each(
datasourceId: datasource._id!, datasourceId: datasource._id!,
queryVerb: "read", queryVerb: "read",
fields: { fields: {
sql: client("test_table").where({ id: 1 }).toString(), sql: client(mainTableName).where({ id: 1 }).toString(),
}, },
parameters: [], parameters: [],
transformer: "return data", transformer: "return data",
@ -391,7 +392,7 @@ describe.each(
it("should work with dynamic variables", async () => { it("should work with dynamic variables", async () => {
const basedOnQuery = await createQuery({ const basedOnQuery = await createQuery({
fields: { fields: {
sql: client("test_table").select("name").where({ id: 1 }).toString(), sql: client(mainTableName).select("name").where({ id: 1 }).toString(),
}, },
}) })
@ -440,7 +441,7 @@ describe.each(
it("should handle the dynamic base query being deleted", async () => { it("should handle the dynamic base query being deleted", async () => {
const basedOnQuery = await createQuery({ const basedOnQuery = await createQuery({
fields: { fields: {
sql: client("test_table").select("name").where({ id: 1 }).toString(), sql: client(mainTableName).select("name").where({ id: 1 }).toString(),
}, },
}) })
@ -494,7 +495,7 @@ describe.each(
it("should be able to insert with bindings", async () => { it("should be able to insert with bindings", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").insert({ name: "{{ foo }}" }).toString(), sql: client(mainTableName).insert({ name: "{{ foo }}" }).toString(),
}, },
parameters: [ parameters: [
{ {
@ -517,7 +518,7 @@ describe.each(
}, },
]) ])
const rows = await client("test_table").where({ name: "baz" }).select() const rows = await client(mainTableName).where({ name: "baz" }).select()
expect(rows).toHaveLength(1) expect(rows).toHaveLength(1)
for (const row of rows) { for (const row of rows) {
expect(row).toMatchObject({ name: "baz" }) expect(row).toMatchObject({ name: "baz" })
@ -527,7 +528,7 @@ describe.each(
it("should not allow handlebars as parameters", async () => { it("should not allow handlebars as parameters", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").insert({ name: "{{ foo }}" }).toString(), sql: client(mainTableName).insert({ name: "{{ foo }}" }).toString(),
}, },
parameters: [ parameters: [
{ {
@ -563,7 +564,7 @@ describe.each(
const date = new Date(datetimeStr) const date = new Date(datetimeStr)
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.insert({ .insert({
name: "foo", name: "foo",
birthday: client.raw("{{ birthday }}"), birthday: client.raw("{{ birthday }}"),
@ -585,7 +586,7 @@ describe.each(
expect(result.data).toEqual([{ created: true }]) expect(result.data).toEqual([{ created: true }])
const rows = await client("test_table") const rows = await client(mainTableName)
.where({ birthday: datetimeStr }) .where({ birthday: datetimeStr })
.select() .select()
expect(rows).toHaveLength(1) expect(rows).toHaveLength(1)
@ -601,7 +602,7 @@ describe.each(
async notDateStr => { async notDateStr => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.insert({ name: client.raw("{{ name }}") }) .insert({ name: client.raw("{{ name }}") })
.toString(), .toString(),
}, },
@ -622,7 +623,7 @@ describe.each(
expect(result.data).toEqual([{ created: true }]) expect(result.data).toEqual([{ created: true }])
const rows = await client("test_table") const rows = await client(mainTableName)
.where({ name: notDateStr }) .where({ name: notDateStr })
.select() .select()
expect(rows).toHaveLength(1) expect(rows).toHaveLength(1)
@ -634,7 +635,7 @@ describe.each(
it("should execute a query", async () => { it("should execute a query", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").select("*").orderBy("id").toString(), sql: client(mainTableName).select("*").orderBy("id").toString(),
}, },
}) })
@ -677,7 +678,7 @@ describe.each(
it("should be able to transform a query", async () => { it("should be able to transform a query", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").where({ id: 1 }).select("*").toString(), sql: client(mainTableName).where({ id: 1 }).select("*").toString(),
}, },
transformer: ` transformer: `
data[0].id = data[0].id + 1; data[0].id = data[0].id + 1;
@ -700,7 +701,7 @@ describe.each(
it("should coerce numeric bindings", async () => { it("should coerce numeric bindings", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.where({ id: client.raw("{{ id }}") }) .where({ id: client.raw("{{ id }}") })
.select("*") .select("*")
.toString(), .toString(),
@ -734,7 +735,7 @@ describe.each(
it("should be able to update rows", async () => { it("should be able to update rows", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.update({ name: client.raw("{{ name }}") }) .update({ name: client.raw("{{ name }}") })
.where({ id: client.raw("{{ id }}") }) .where({ id: client.raw("{{ id }}") })
.toString(), .toString(),
@ -759,7 +760,7 @@ describe.each(
}, },
}) })
const rows = await client("test_table").where({ id: 1 }).select() const rows = await client(mainTableName).where({ id: 1 }).select()
expect(rows).toEqual([ expect(rows).toEqual([
{ id: 1, name: "foo", birthday: null, number: null }, { id: 1, name: "foo", birthday: null, number: null },
]) ])
@ -768,7 +769,7 @@ describe.each(
it("should be able to execute an update that updates no rows", async () => { it("should be able to execute an update that updates no rows", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.update({ name: "updated" }) .update({ name: "updated" })
.where({ id: 100 }) .where({ id: 100 })
.toString(), .toString(),
@ -778,7 +779,7 @@ describe.each(
await config.api.query.execute(query._id!) await config.api.query.execute(query._id!)
const rows = await client("test_table").select() const rows = await client(mainTableName).select()
for (const row of rows) { for (const row of rows) {
expect(row.name).not.toEqual("updated") expect(row.name).not.toEqual("updated")
} }
@ -787,14 +788,14 @@ describe.each(
it("should be able to execute a delete that deletes no rows", async () => { it("should be able to execute a delete that deletes no rows", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table").where({ id: 100 }).delete().toString(), sql: client(mainTableName).where({ id: 100 }).delete().toString(),
}, },
queryVerb: "delete", queryVerb: "delete",
}) })
await config.api.query.execute(query._id!) await config.api.query.execute(query._id!)
const rows = await client("test_table").select() const rows = await client(mainTableName).select()
expect(rows).toHaveLength(5) expect(rows).toHaveLength(5)
}) })
}) })
@ -803,7 +804,7 @@ describe.each(
it("should be able to delete rows", async () => { it("should be able to delete rows", async () => {
const query = await createQuery({ const query = await createQuery({
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.where({ id: client.raw("{{ id }}") }) .where({ id: client.raw("{{ id }}") })
.delete() .delete()
.toString(), .toString(),
@ -823,7 +824,7 @@ describe.each(
}, },
}) })
const rows = await client("test_table").where({ id: 1 }).select() const rows = await client(mainTableName).where({ id: 1 }).select()
expect(rows).toHaveLength(0) expect(rows).toHaveLength(0)
}) })
}) })
@ -831,7 +832,7 @@ describe.each(
describe("query through datasource", () => { describe("query through datasource", () => {
it("should be able to query the datasource", async () => { it("should be able to query the datasource", async () => {
const entityId = "test_table" const entityId = mainTableName
await config.api.datasource.update({ await config.api.datasource.update({
...datasource, ...datasource,
entities: { entities: {
@ -876,7 +877,7 @@ describe.each(
beforeAll(async () => { beforeAll(async () => {
queryParams = { queryParams = {
fields: { fields: {
sql: client("test_table") sql: client(mainTableName)
.insert({ .insert({
name: client.raw("{{ bindingName }}"), name: client.raw("{{ bindingName }}"),
number: client.raw("{{ bindingNumber }}"), number: client.raw("{{ bindingNumber }}"),
@ -929,4 +930,34 @@ describe.each(
}) })
}) })
}) })
describe("edge cases", () => {
it("should find rows with a binding containing a slash", async () => {
const slashValue = "1/10"
await client(mainTableName).insert([{ name: slashValue }])
const query = await createQuery({
fields: {
sql: client(mainTableName)
.select("*")
.where("name", "=", client.raw("{{ bindingName }}"))
.toString(),
},
parameters: [
{
name: "bindingName",
default: "",
},
],
queryVerb: "read",
})
const results = await config.api.query.execute(query._id!, {
parameters: {
bindingName: slashValue,
},
})
expect(results).toBeDefined()
expect(results.data.length).toEqual(1)
})
})
}) })

View File

@ -24,8 +24,7 @@ import {
checkExternalTables, checkExternalTables,
HOST_ADDRESS, HOST_ADDRESS,
} from "./utils" } from "./utils"
import dayjs from "dayjs" import { isDate, NUMBER_REGEX } from "../utilities"
import { NUMBER_REGEX } from "../utilities"
import { MySQLColumn } from "./base/types" import { MySQLColumn } from "./base/types"
import { getReadableErrorMessage } from "./base/errorMapping" import { getReadableErrorMessage } from "./base/errorMapping"
import { sql } from "@budibase/backend-core" import { sql } from "@budibase/backend-core"
@ -129,11 +128,7 @@ export function bindingTypeCoerce(bindings: SqlQueryBinding) {
} }
// if not a number, see if it is a date - important to do in this order as any // if not a number, see if it is a date - important to do in this order as any
// integer will be considered a valid date // integer will be considered a valid date
else if ( else if (isDate(binding)) {
/^\d/.test(binding) &&
dayjs(binding).isValid() &&
!binding.includes(",")
) {
let value: any let value: any
value = new Date(binding) value = new Date(binding)
if (isNaN(value)) { if (isNaN(value)) {
@ -439,8 +434,7 @@ class MySQLIntegration extends Sql implements DatasourcePlus {
dumpContent.push(createTableStatement) dumpContent.push(createTableStatement)
} }
const schema = dumpContent.join("\n") return dumpContent.join("\n")
return schema
} finally { } finally {
this.disconnect() this.disconnect()
} }

View File

@ -3,7 +3,10 @@ import { context } from "@budibase/backend-core"
import { generateMetadataID } from "../db/utils" import { generateMetadataID } from "../db/utils"
import { Document } from "@budibase/types" import { Document } from "@budibase/types"
import stream from "stream" import stream from "stream"
import dayjs from "dayjs"
import customParseFormat from "dayjs/plugin/customParseFormat"
dayjs.extend(customParseFormat)
const Readable = stream.Readable const Readable = stream.Readable
export function wait(ms: number) { export function wait(ms: number) {
@ -13,6 +16,28 @@ export function wait(ms: number) {
export const isDev = env.isDev export const isDev = env.isDev
export const NUMBER_REGEX = /^[+-]?([0-9]*[.])?[0-9]+$/g export const NUMBER_REGEX = /^[+-]?([0-9]*[.])?[0-9]+$/g
const ACCEPTED_DATE_FORMATS = [
"MM/DD/YYYY",
"MM/DD/YY",
"DD/MM/YYYY",
"DD/MM/YY",
"YYYY/MM/DD",
"YYYY-MM-DD",
"YYYY-MM-DDTHH:mm",
"YYYY-MM-DDTHH:mm:ss",
"YYYY-MM-DDTHH:mm:ss[Z]",
"YYYY-MM-DDTHH:mm:ss.SSS[Z]",
]
export function isDate(str: string) {
// checks for xx/xx/xx or ISO date timestamp formats
for (const format of ACCEPTED_DATE_FORMATS) {
if (dayjs(str, format, true).isValid()) {
return true
}
}
return false
}
export function removeFromArray(array: any[], element: any) { export function removeFromArray(array: any[], element: any) {
const index = array.indexOf(element) const index = array.indexOf(element)

View File

@ -0,0 +1,34 @@
import { isDate } from "../"
describe("isDate", () => {
it("should handle DD/MM/YYYY", () => {
expect(isDate("01/01/2001")).toEqual(true)
})
it("should handle DD/MM/YY", () => {
expect(isDate("01/01/01")).toEqual(true)
})
it("should handle ISO format YYYY-MM-DD", () => {
expect(isDate("2001-01-01")).toEqual(true)
})
it("should handle ISO format with time (YYYY-MM-DDTHH:MM)", () => {
expect(isDate("2001-01-01T12:30")).toEqual(true)
})
it("should handle ISO format with full timestamp (YYYY-MM-DDTHH:MM:SS)", () => {
expect(isDate("2001-01-01T12:30:45")).toEqual(true)
})
it("should handle complete ISO format", () => {
expect(isDate("2001-01-01T12:30:00.000Z")).toEqual(true)
})
it("should return false for invalid formats", () => {
expect(isDate("")).toEqual(false)
expect(isDate("1/10")).toEqual(false)
expect(isDate("random string")).toEqual(false)
expect(isDate("123456")).toEqual(false)
})
})