joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Extract query validation logic

Browse Source
This commit is contained in:
Drew Gross
2016-05-18 18:05:04 -07:00
parent ea09213511
commit 15fc186a51
4 changed files with 38 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Adapters/Storage/Mongo/MongoStorageAdapter.js
View File

@@ -185,12 +185,7 @@ export class MongoStorageAdapter {
deleteObjectsByQuery(className, query, validate, schema) { deleteObjectsByQuery(className, query, validate, schema) {
return this.adaptiveCollection(className) return this.adaptiveCollection(className)
.then(collection => { .then(collection => {
if (query.ACL) { transform.validateQuery(query);
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
if (validate && Object.keys(query).some(restKey => !specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/))) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
}
let mongoWhere = transform.transformWhere(className, query, schema); let mongoWhere = transform.transformWhere(className, query, schema);
return collection.deleteMany(mongoWhere) return collection.deleteMany(mongoWhere)
}) })

60
src/Adapters/Storage/Mongo/MongoTransform.js
View File

@@ -167,31 +167,9 @@ function transformQueryKeyValue(className, key, value, schema) {
case '_perishable_token': case '_perishable_token':
case '_email_verify_token': return {key, value} case '_email_verify_token': return {key, value}
case '$or': case '$or':
if (!(value instanceof Array)) { return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, schema))};
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $or format - use an array value');
}
if (value.some(subQuery => subQuery.ACL)) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
Object.keys(subQuery).forEach(restKey => {
if (!specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
}
});
}
return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
case '$and': case '$and':
if (!(value instanceof Array)) { return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, schema))};
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $and format - use an array value');
}
if (value.some(subQuery => subQuery.ACL)) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
Object.keys(subQuery).forEach(restKey => {
if (!specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
}
});
}
return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
default: default:
// Other auth data // Other auth data
const authDataMatch = key.match(/^authData\.([a-zA-Z0-9_]+)\.id$/); const authDataMatch = key.match(/^authData\.([a-zA-Z0-9_]+)\.id$/);
@@ -233,17 +211,42 @@ function transformQueryKeyValue(className, key, value, schema) {
} }
} }
const validateQuery = query => {
if (query.ACL) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
if (query.$or) {
if (query.$or instanceof Array) {
query.$or.forEach(validateQuery);
} else {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $or format - use an array value.');
}
}
if (query.$and) {
if (query.$and instanceof Array) {
query.$and.forEach(validateQuery);
} else {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $and format - use an array value.');
}
}
Object.keys(query).forEach(key => {
if (!specialQuerykeys.includes(key) && !key.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${key}`);
}
});
}
// Main exposed method to help run queries. // Main exposed method to help run queries.
// restWhere is the "where" clause in REST API form. // restWhere is the "where" clause in REST API form.
// Returns the mongo form of the query. // Returns the mongo form of the query.
// Throws a Parse.Error if the input query is invalid. // Throws a Parse.Error if the input query is invalid.
const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token']; const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token'];
function transformWhere(className, restWhere, { validate = true } = {}, schema) { function transformWhere(className, restWhere, schema) {
let mongoWhere = {}; let mongoWhere = {};
for (let restKey in restWhere) { for (let restKey in restWhere) {
if (validate && !specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
}
let out = transformQueryKeyValue(className, restKey, restWhere[restKey], schema); let out = transformQueryKeyValue(className, restKey, restWhere[restKey], schema);
mongoWhere[out.key] = out.value; mongoWhere[out.key] = out.value;
} }
@@ -1045,6 +1048,7 @@ var FileCoder = {
module.exports = { module.exports = {
transformKey, transformKey,
validateQuery,
parseObjectToMongoObjectForCreate, parseObjectToMongoObjectForCreate,
transformUpdate, transformUpdate,
transformWhere, transformWhere,

12
src/Controllers/DatabaseController.js
View File

@@ -184,10 +184,8 @@ DatabaseController.prototype.update = function(className, query, update, {
throw error; throw error;
}) })
.then(parseFormatSchema => { .then(parseFormatSchema => {
if (query.ACL) { this.transform.validateQuery(query);
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); var mongoWhere = this.transform.transformWhere(className, query, parseFormatSchema);
}
var mongoWhere = this.transform.transformWhere(className, query, {validate: !this.skipValidation}, parseFormatSchema);
mongoUpdate = this.transform.transformUpdate( mongoUpdate = this.transform.transformUpdate(
schemaController, schemaController,
className, className,
@@ -671,10 +669,8 @@ DatabaseController.prototype.find = function(className, query, {
if (!isMaster) { if (!isMaster) {
query = addReadACL(query, aclGroup); query = addReadACL(query, aclGroup);
} }
if (query.ACL) { this.transform.validateQuery(query);
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); let mongoWhere = this.transform.transformWhere(className, query, schema);
}
let mongoWhere = this.transform.transformWhere(className, query, {}, schema);
if (count) { if (count) {
delete mongoOptions.limit; delete mongoOptions.limit;
return collection.count(mongoWhere, mongoOptions); return collection.count(mongoWhere, mongoOptions);

2
src/Routers/GlobalConfigRouter.js
View File

@@ -24,7 +24,7 @@ export class GlobalConfigRouter extends PromiseRouter {
return acc; return acc;
}, {}); }, {});
let database = req.config.database.WithoutValidation(); let database = req.config.database.WithoutValidation();
return database.update('_GlobalConfig', {_id: 1}, update, {upsert: true}).then(() => { return database.update('_GlobalConfig', {objectId: 1}, update, {upsert: true}).then(() => {
return Promise.resolve({ response: { result: true } }); return Promise.resolve({ response: { result: true } });
}); });
} }