coop-cloud-chaos-patchs/outline
coop-cloud-chaos-patchs
/
outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix: Server error when invalid 'sort' field is passed from an API client (#2000)

This commit is contained in:
Tom Moor 2021-03-31 18:54:02 -07:00 committed by GitHub
parent 2e64972574
commit 2ef0caba88
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
server/api/documents.js
View File

@ -128,6 +128,8 @@ router.post("documents.list", auth(), pagination(), async (ctx) => {
sort = "updatedAt";
}
ctx.assertSort(sort, Document);
// add the users starred state to the response by default
const starredScope = { method: ["withStarred", user.id] };
const collectionScope = { method: ["withCollection", user.id] };
@ -170,6 +172,7 @@ router.post("documents.pinned", auth(), pagination(), async (ctx) => {
let direction = ctx.body.direction;
if (direction !== "ASC") direction = "DESC";
ctx.assertUuid(collectionId, "collectionId is required");
ctx.assertSort(sort, Document);
const user = ctx.state.user;
const collection = await Collection.scope({
@ -214,6 +217,8 @@ router.post("documents.pinned", auth(), pagination(), async (ctx) => {
router.post("documents.archived", auth(), pagination(), async (ctx) => {
const { sort = "updatedAt" } = ctx.body;
ctx.assertSort(sort, Document);
let direction = ctx.body.direction;
if (direction !== "ASC") direction = "DESC";
@ -254,6 +259,8 @@ router.post("documents.archived", auth(), pagination(), async (ctx) => {
router.post("documents.deleted", auth(), pagination(), async (ctx) => {
const { sort = "deletedAt" } = ctx.body;
ctx.assertSort(sort, Document);
let direction = ctx.body.direction;
if (direction !== "ASC") direction = "DESC";
@ -295,6 +302,8 @@ router.post("documents.deleted", auth(), pagination(), async (ctx) => {
router.post("documents.viewed", auth(), pagination(), async (ctx) => {
let { sort = "updatedAt", direction } = ctx.body;
ctx.assertSort(sort, Document);
if (direction !== "ASC") direction = "DESC";
const user = ctx.state.user;
@ -344,6 +353,8 @@ router.post("documents.viewed", auth(), pagination(), async (ctx) => {
router.post("documents.starred", auth(), pagination(), async (ctx) => {
let { sort = "updatedAt", direction } = ctx.body;
ctx.assertSort(sort, Document);
if (direction !== "ASC") direction = "DESC";
const user = ctx.state.user;
@ -395,6 +406,8 @@ router.post("documents.starred", auth(), pagination(), async (ctx) => {
router.post("documents.drafts", auth(), pagination(), async (ctx) => {
let { collectionId, dateFilter, sort = "updatedAt", direction } = ctx.body;
ctx.assertSort(sort, Document);
if (direction !== "ASC") direction = "DESC";
const user = ctx.state.user;

1
server/api/events.js
View File

@ -22,6 +22,7 @@ router.post("events.list", auth(), pagination(), async (ctx) => {
auditLog = false,
} = ctx.body;
if (direction !== "ASC") direction = "DESC";
ctx.assertSort(sort, Event);
let where = {
name: Event.ACTIVITY_EVENTS,

5
server/api/groups.js
View File

@ -18,9 +18,10 @@ const { authorize } = policy;
const router = new Router();
router.post("groups.list", auth(), pagination(), async (ctx) => {
const { sort = "updatedAt" } = ctx.body;
let direction = ctx.body.direction;
let { sort = "updatedAt", direction } = ctx.body;
if (direction !== "ASC") direction = "DESC";
ctx.assertSort(sort, Group);
const user = ctx.state.user;
let groups = await Group.findAll({

1
server/api/integrations.js
View File

@ -13,6 +13,7 @@ const router = new Router();
router.post("integrations.list", auth(), pagination(), async (ctx) => {
let { sort = "updatedAt", direction } = ctx.body;
if (direction !== "ASC") direction = "DESC";
ctx.assertSort(sort, Integration);
const user = ctx.state.user;
const integrations = await Integration.findAll({

1
server/api/revisions.js
View File

@ -34,6 +34,7 @@ router.post("revisions.info", auth(), async (ctx) => {
router.post("revisions.list", auth(), pagination(), async (ctx) => {
let { documentId, sort = "updatedAt", direction } = ctx.body;
if (direction !== "ASC") direction = "DESC";
ctx.assertSort(sort, Revision);
ctx.assertPresent(documentId, "documentId is required");
const user = ctx.state.user;

1
server/api/shares.js
View File

@ -44,6 +44,7 @@ router.post("shares.info", auth(), async (ctx) => {
router.post("shares.list", auth(), pagination(), async (ctx) => {
let { sort = "updatedAt", direction } = ctx.body;
if (direction !== "ASC") direction = "DESC";
ctx.assertSort(sort, Share);
const user = ctx.state.user;
const where = {

10
server/api/users.js
View File

@ -13,9 +13,15 @@ const { authorize } = policy;
const router = new Router();
router.post("users.list", auth(), pagination(), async (ctx) => {
const { sort = "createdAt", query, includeSuspended = false } = ctx.body;
let direction = ctx.body.direction;
let {
sort = "createdAt",
query,
direction,
includeSuspended = false,
} = ctx.body;
if (direction !== "ASC") direction = "DESC";
ctx.assertSort(sort, User);
const user = ctx.state.user;
let where = {

6
server/middlewares/validation.js
View File

@ -18,6 +18,12 @@ export default function validation() {
}
};
ctx.assertSort = (value, model, message = "Invalid sort parameter") => {
if (!Object.keys(model.rawAttributes).includes(value)) {
throw new ValidationError(message);
}
};
ctx.assertNotEmpty = (value, message) => {
if (value === "") {
throw new ValidationError(message);