yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: Improve UUID vaildation – prevent nonsense reaching db queries

Browse Source
This commit is contained in:
Tom Moor
2022-07-17 14:49:04 +01:00
parent 4af69b2758
commit 11e1ef455f
3 changed files with 19 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
server/routes/api/attachments.ts
View File

@@ -2,11 +2,7 @@ import Router from "koa-router";
import { v4 as uuidv4 } from "uuid"; import { v4 as uuidv4 } from "uuid";
import { bytesToHumanReadable } from "@shared/utils/files"; import { bytesToHumanReadable } from "@shared/utils/files";
import { sequelize } from "@server/database/sequelize"; import { sequelize } from "@server/database/sequelize";
import { import { AuthorizationError, ValidationError } from "@server/errors";
AuthorizationError,
NotFoundError,
ValidationError,
} from "@server/errors";
import auth from "@server/middlewares/authentication"; import auth from "@server/middlewares/authentication";
import { Attachment, Document, Event } from "@server/models"; import { Attachment, Document, Event } from "@server/models";
import { authorize } from "@server/policies"; import { authorize } from "@server/policies";
@@ -15,7 +11,7 @@ import {
publicS3Endpoint, publicS3Endpoint,
getSignedUrl, getSignedUrl,
} from "@server/utils/s3"; } from "@server/utils/s3";
import { assertPresent } from "@server/validation"; import { assertPresent, assertUuid } from "@server/validation";
const router = new Router(); const router = new Router();
const AWS_S3_ACL = process.env.AWS_S3_ACL || "private"; const AWS_S3_ACL = process.env.AWS_S3_ACL || "private";
@@ -113,13 +109,11 @@ router.post("attachments.create", auth(), async (ctx) => {
router.post("attachments.delete", auth(), async (ctx) => { router.post("attachments.delete", auth(), async (ctx) => {
const { id } = ctx.body; const { id } = ctx.body;
assertPresent(id, "id is required"); assertUuid(id, "id is required");
const { user } = ctx.state; const { user } = ctx.state;
const attachment = await Attachment.findByPk(id); const attachment = await Attachment.findByPk(id, {
rejectOnEmpty: true,
if (!attachment) { });
throw NotFoundError();
}
if (attachment.documentId) { if (attachment.documentId) {
const document = await Document.findByPk(attachment.documentId, { const document = await Document.findByPk(attachment.documentId, {
@@ -144,13 +138,11 @@ router.post("attachments.delete", auth(), async (ctx) => {
router.post("attachments.redirect", auth(), async (ctx) => { router.post("attachments.redirect", auth(), async (ctx) => {
const { id } = ctx.body; const { id } = ctx.body;
assertPresent(id, "id is required"); assertUuid(id, "id is required");
const { user } = ctx.state; const { user } = ctx.state;
const attachment = await Attachment.findByPk(id); const attachment = await Attachment.findByPk(id, {
rejectOnEmpty: true,
if (!attachment) { });
throw NotFoundError();
}
if (attachment.isPrivate) { if (attachment.isPrivate) {
if (attachment.teamId !== user.teamId) { if (attachment.teamId !== user.teamId) {

13
server/routes/api/revisions.ts
View File

@@ -1,23 +1,20 @@
import Router from "koa-router"; import Router from "koa-router";
import { NotFoundError } from "@server/errors";
import auth from "@server/middlewares/authentication"; import auth from "@server/middlewares/authentication";
import { Document, Revision } from "@server/models"; import { Document, Revision } from "@server/models";
import { authorize } from "@server/policies"; import { authorize } from "@server/policies";
import { presentRevision } from "@server/presenters"; import { presentRevision } from "@server/presenters";
import { assertPresent, assertSort } from "@server/validation"; import { assertPresent, assertSort, assertUuid } from "@server/validation";
import pagination from "./middlewares/pagination"; import pagination from "./middlewares/pagination";
const router = new Router(); const router = new Router();
router.post("revisions.info", auth(), async (ctx) => { router.post("revisions.info", auth(), async (ctx) => {
const { id } = ctx.body; const { id } = ctx.body;
assertPresent(id, "id is required"); assertUuid(id, "id is required");
const { user } = ctx.state; const { user } = ctx.state;
const revision = await Revision.findByPk(id); const revision = await Revision.findByPk(id, {
rejectOnEmpty: true,
if (!revision) { });
throw NotFoundError();
}
const document = await Document.findByPk(revision.documentId, { const document = await Document.findByPk(revision.documentId, {
userId: user.id, userId: user.id,

5
server/routes/api/searches.ts
View File

@@ -2,7 +2,7 @@ import Router from "koa-router";
import auth from "@server/middlewares/authentication"; import auth from "@server/middlewares/authentication";
import { SearchQuery } from "@server/models"; import { SearchQuery } from "@server/models";
import { presentSearchQuery } from "@server/presenters"; import { presentSearchQuery } from "@server/presenters";
import { assertPresent } from "@server/validation"; import { assertPresent, assertUuid } from "@server/validation";
import pagination from "./middlewares/pagination"; import pagination from "./middlewares/pagination";
const router = new Router(); const router = new Router();
@@ -28,6 +28,9 @@ router.post("searches.list", auth(), pagination(), async (ctx) => {
router.post("searches.delete", auth(), async (ctx) => { router.post("searches.delete", auth(), async (ctx) => {
const { id, query } = ctx.body; const { id, query } = ctx.body;
assertPresent(id || query, "id or query is required"); assertPresent(id || query, "id or query is required");
if (id) {
assertUuid(id, "id is must be a uuid");
}
const { user } = ctx.state; const { user } = ctx.state;
await SearchQuery.destroy({ await SearchQuery.destroy({