fix(striker-ui-api): relocate sanitize input for SQL query

2 years ago · e412d615d1
parent 3cb7c0f7ee
commit e412d615d1
8 changed files with 31 additions and 20 deletions
--- a/striker-ui-api/src/lib/buildIDCondition.ts
+++ b/striker-ui-api/src/lib/buildIDCondition.ts
@ -6,7 +6,7 @@ export const buildIDCondition = (
  field: string,
  { onFallback = () => '' }: { onFallback?: () => string },
 ): { after: string; before: string[] } => {
-  const before = sanitizeQS(ids, { returnType: 'string[]' });
+  const before = sanitizeQS(ids, { isForSQL: true, returnType: 'string[]' });
  const after = join(before, {
    beforeReturn: (toReturn) =>
      toReturn ? `${field} IN (${toReturn})` : onFallback.call(null),
--- a/striker-ui-api/src/lib/request_handlers/anvil/buildQueryAnvilDetail.ts
+++ b/striker-ui-api/src/lib/request_handlers/anvil/buildQueryAnvilDetail.ts
@ -2,7 +2,6 @@ import NODE_AND_DR_RESERVED_MEMORY_SIZE from '../../consts/NODE_AND_DR_RESERVED_
 import { OS_LIST } from '../../consts/OS_LIST';

 import join from '../../join';
-import { sanitizeSQLParam } from '../../sanitizeSQLParam';

 const buildQueryAnvilDetail = ({
  anvilUUIDs = ['*'],
@ -15,9 +14,7 @@ const buildQueryAnvilDetail = ({
    ? ''
    : join(anvilUUIDs, {
        beforeReturn: (toReturn) =>
-          toReturn
-            ? `WHERE anv.anvil_uuid IN (${sanitizeSQLParam(toReturn)})`
-            : '',
+          toReturn ? `WHERE anv.anvil_uuid IN (${toReturn})` : '',
        elementWrapper: "'",
        separator: ', ',
      });
--- a/striker-ui-api/src/lib/request_handlers/anvil/getAnvil.ts
+++ b/striker-ui-api/src/lib/request_handlers/anvil/getAnvil.ts
@ -61,7 +61,10 @@ const getAnvil: RequestHandler = buildGetRequestHandler(
        query: anvilDetailQuery,
        afterQueryReturn: anvilDetailAfterQueryReturn,
      } = buildQueryAnvilDetail({
-        anvilUUIDs: sanitizeQS(anvilUUIDs, { returnType: 'string[]' }),
+        anvilUUIDs: sanitizeQS(anvilUUIDs, {
+          isForSQL: true,
+          returnType: 'string[]',
+        }),
        isForProvisionServer: sanitizeQS(isForProvisionServer, {
          returnType: 'boolean',
        }),
--- a/striker-ui-api/src/lib/request_handlers/file/buildQueryFileDetail.ts
+++ b/striker-ui-api/src/lib/request_handlers/file/buildQueryFileDetail.ts
@ -1,5 +1,4 @@
 import join from '../../join';
-import { sanitizeSQLParam } from '../../sanitizeSQLParam';

 const buildQueryFileDetail = ({
  fileUUIDs = ['*'],
@ -10,9 +9,7 @@ const buildQueryFileDetail = ({
    ? ''
    : join(fileUUIDs, {
        beforeReturn: (toReturn) =>
-          toReturn
-            ? `AND fil.file_uuid IN (${sanitizeSQLParam(toReturn)})`
-            : '',
+          toReturn ? `AND fil.file_uuid IN (${toReturn})` : '',
        elementWrapper: "'",
        separator: ', ',
      });
--- a/striker-ui-api/src/lib/request_handlers/file/getFile.ts
+++ b/striker-ui-api/src/lib/request_handlers/file/getFile.ts
@ -19,7 +19,10 @@ const getFile: RequestHandler = buildGetRequestHandler((request) => {

  if (fileUUIDs) {
    query = buildQueryFileDetail({
-      fileUUIDs: sanitizeQS(fileUUIDs, { returnType: 'string[]' }),
+      fileUUIDs: sanitizeQS(fileUUIDs, {
+        isForSQL: true,
+        returnType: 'string[]',
+      }),
    });
  }

--- a/striker-ui-api/src/lib/request_handlers/file/getFileDetail.ts
+++ b/striker-ui-api/src/lib/request_handlers/file/getFileDetail.ts
@ -2,9 +2,11 @@ import { RequestHandler } from 'express';

 import buildGetRequestHandler from '../buildGetRequestHandler';
 import buildQueryFileDetail from './buildQueryFileDetail';
+import { sanitizeSQLParam } from '../../sanitizeSQLParam';

-const getFileDetail: RequestHandler = buildGetRequestHandler((request) =>
-  buildQueryFileDetail({ fileUUIDs: [request.params.fileUUID] }),
+const getFileDetail: RequestHandler = buildGetRequestHandler(
+  ({ params: { fileUUID } }) =>
+    buildQueryFileDetail({ fileUUIDs: [sanitizeSQLParam(fileUUID)] }),
 );

 export default getFileDetail;
--- a/striker-ui-api/src/lib/sanitizeQS.ts
+++ b/striker-ui-api/src/lib/sanitizeQS.ts
@ -1,3 +1,5 @@
+import { sanitizeSQLParam } from './sanitizeSQLParam';
+
 type MapToReturnType = {
  boolean: boolean;
  number: number;
@ -8,26 +10,27 @@ type MapToReturnType = {
 type MapToReturnFunction = {
  [ReturnTypeName in keyof MapToReturnType]: (
    qs: unknown,
+    modSQL: (value: string) => string,
  ) => MapToReturnType[ReturnTypeName];
 };

 const MAP_TO_RETURN_FUNCTION: MapToReturnFunction = {
  boolean: (qs) => qs !== undefined,
  number: (qs) => parseFloat(String(qs)) || 0,
-  string: (qs) => (qs ? String(qs) : ''),
-  'string[]': (qs) => {
+  string: (qs, modSQL) => (qs ? modSQL(String(qs)) : ''),
+  'string[]': (qs, modSQL) => {
    let result: string[] = [];

    if (qs instanceof Array) {
      result = qs.reduce<string[]>((reduceContainer, element) => {
        if (element) {
-          reduceContainer.push(String(element));
+          reduceContainer.push(modSQL(String(element)));
        }

        return reduceContainer;
      }, []);
    } else if (qs) {
-      result = String(qs).split(/[,;]/);
+      result = modSQL(String(qs)).split(/[,;]/);
    }

    return result;
@ -36,6 +39,12 @@ const MAP_TO_RETURN_FUNCTION: MapToReturnFunction = {

 export const sanitizeQS = <ReturnTypeName extends keyof MapToReturnType>(
  qs: unknown,
-  { returnType = 'string' }: { returnType?: ReturnTypeName | 'string' } = {},
+  {
+    isForSQL = false,
+    returnType = 'string',
+  }: { isForSQL?: boolean; returnType?: ReturnTypeName | 'string' } = {},
 ): MapToReturnType[ReturnTypeName] =>
-  MAP_TO_RETURN_FUNCTION[returnType](qs) as MapToReturnType[ReturnTypeName];
+  MAP_TO_RETURN_FUNCTION[returnType](
+    qs,
+    isForSQL ? sanitizeSQLParam : (value: string) => value,
+  ) as MapToReturnType[ReturnTypeName];
--- a/striker-ui-api/src/lib/sanitizeSQLParam.ts
+++ b/striker-ui-api/src/lib/sanitizeSQLParam.ts
@ -1,2 +1,2 @@
 export const sanitizeSQLParam = (variable: string): string =>
-  variable.replaceAll(/[']/g, '');
+  variable.replace(/[']/g, '');