diff --git a/server/api/documents.js b/server/api/documents.js index bc050d02..1944b8d1 100644 --- a/server/api/documents.js +++ b/server/api/documents.js @@ -128,6 +128,8 @@ router.post("documents.list", auth(), pagination(), async (ctx) => { sort = "updatedAt"; } + ctx.assertSort(sort, Document); + // add the users starred state to the response by default const starredScope = { method: ["withStarred", user.id] }; const collectionScope = { method: ["withCollection", user.id] }; @@ -170,6 +172,7 @@ router.post("documents.pinned", auth(), pagination(), async (ctx) => { let direction = ctx.body.direction; if (direction !== "ASC") direction = "DESC"; ctx.assertUuid(collectionId, "collectionId is required"); + ctx.assertSort(sort, Document); const user = ctx.state.user; const collection = await Collection.scope({ @@ -214,6 +217,8 @@ router.post("documents.pinned", auth(), pagination(), async (ctx) => { router.post("documents.archived", auth(), pagination(), async (ctx) => { const { sort = "updatedAt" } = ctx.body; + ctx.assertSort(sort, Document); + let direction = ctx.body.direction; if (direction !== "ASC") direction = "DESC"; @@ -254,6 +259,8 @@ router.post("documents.archived", auth(), pagination(), async (ctx) => { router.post("documents.deleted", auth(), pagination(), async (ctx) => { const { sort = "deletedAt" } = ctx.body; + ctx.assertSort(sort, Document); + let direction = ctx.body.direction; if (direction !== "ASC") direction = "DESC"; @@ -295,6 +302,8 @@ router.post("documents.deleted", auth(), pagination(), async (ctx) => { router.post("documents.viewed", auth(), pagination(), async (ctx) => { let { sort = "updatedAt", direction } = ctx.body; + ctx.assertSort(sort, Document); + if (direction !== "ASC") direction = "DESC"; const user = ctx.state.user; @@ -344,6 +353,8 @@ router.post("documents.viewed", auth(), pagination(), async (ctx) => { router.post("documents.starred", auth(), pagination(), async (ctx) => { let { sort = "updatedAt", direction } = ctx.body; + ctx.assertSort(sort, Document); + if (direction !== "ASC") direction = "DESC"; const user = ctx.state.user; @@ -395,6 +406,8 @@ router.post("documents.starred", auth(), pagination(), async (ctx) => { router.post("documents.drafts", auth(), pagination(), async (ctx) => { let { collectionId, dateFilter, sort = "updatedAt", direction } = ctx.body; + ctx.assertSort(sort, Document); + if (direction !== "ASC") direction = "DESC"; const user = ctx.state.user; diff --git a/server/api/events.js b/server/api/events.js index 6a5c08be..b007c74c 100644 --- a/server/api/events.js +++ b/server/api/events.js @@ -22,6 +22,7 @@ router.post("events.list", auth(), pagination(), async (ctx) => { auditLog = false, } = ctx.body; if (direction !== "ASC") direction = "DESC"; + ctx.assertSort(sort, Event); let where = { name: Event.ACTIVITY_EVENTS, diff --git a/server/api/groups.js b/server/api/groups.js index d72a7a56..78847b3d 100644 --- a/server/api/groups.js +++ b/server/api/groups.js @@ -18,9 +18,10 @@ const { authorize } = policy; const router = new Router(); router.post("groups.list", auth(), pagination(), async (ctx) => { - const { sort = "updatedAt" } = ctx.body; - let direction = ctx.body.direction; + let { sort = "updatedAt", direction } = ctx.body; if (direction !== "ASC") direction = "DESC"; + ctx.assertSort(sort, Group); + const user = ctx.state.user; let groups = await Group.findAll({ diff --git a/server/api/integrations.js b/server/api/integrations.js index 5814cc15..672e7ab0 100644 --- a/server/api/integrations.js +++ b/server/api/integrations.js @@ -13,6 +13,7 @@ const router = new Router(); router.post("integrations.list", auth(), pagination(), async (ctx) => { let { sort = "updatedAt", direction } = ctx.body; if (direction !== "ASC") direction = "DESC"; + ctx.assertSort(sort, Integration); const user = ctx.state.user; const integrations = await Integration.findAll({ diff --git a/server/api/revisions.js b/server/api/revisions.js index 4ec83708..5c4a2df5 100644 --- a/server/api/revisions.js +++ b/server/api/revisions.js @@ -34,6 +34,7 @@ router.post("revisions.info", auth(), async (ctx) => { router.post("revisions.list", auth(), pagination(), async (ctx) => { let { documentId, sort = "updatedAt", direction } = ctx.body; if (direction !== "ASC") direction = "DESC"; + ctx.assertSort(sort, Revision); ctx.assertPresent(documentId, "documentId is required"); const user = ctx.state.user; diff --git a/server/api/shares.js b/server/api/shares.js index d5f1a80a..4123ae50 100644 --- a/server/api/shares.js +++ b/server/api/shares.js @@ -44,6 +44,7 @@ router.post("shares.info", auth(), async (ctx) => { router.post("shares.list", auth(), pagination(), async (ctx) => { let { sort = "updatedAt", direction } = ctx.body; if (direction !== "ASC") direction = "DESC"; + ctx.assertSort(sort, Share); const user = ctx.state.user; const where = { diff --git a/server/api/users.js b/server/api/users.js index d30f4037..14240dd3 100644 --- a/server/api/users.js +++ b/server/api/users.js @@ -13,9 +13,15 @@ const { authorize } = policy; const router = new Router(); router.post("users.list", auth(), pagination(), async (ctx) => { - const { sort = "createdAt", query, includeSuspended = false } = ctx.body; - let direction = ctx.body.direction; + let { + sort = "createdAt", + query, + direction, + includeSuspended = false, + } = ctx.body; if (direction !== "ASC") direction = "DESC"; + ctx.assertSort(sort, User); + const user = ctx.state.user; let where = { diff --git a/server/middlewares/validation.js b/server/middlewares/validation.js index d7cc3e3b..cd5ebc42 100644 --- a/server/middlewares/validation.js +++ b/server/middlewares/validation.js @@ -18,6 +18,12 @@ export default function validation() { } }; + ctx.assertSort = (value, model, message = "Invalid sort parameter") => { + if (!Object.keys(model.rawAttributes).includes(value)) { + throw new ValidationError(message); + } + }; + ctx.assertNotEmpty = (value, message) => { if (value === "") { throw new ValidationError(message);