chore!: add conditional support to query and fields query params (#33544

) * chore: add conditional support to query and fields query params * chore: add conditional support to query and fields query params * chore: remove dummyRoute * chore: add comment on hasSupportedRoutes * chore: change logger to point to version 8
RocketChat · Oct 17, 2024 · f633c7e · f633c7e
1 parent 73d3c0d
commit f633c7e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 5 deletions.
diff --git a/apps/meteor/app/api/server/definition.ts b/apps/meteor/app/api/server/definition.ts
@@ -149,7 +149,13 @@ export type ActionThis<TMethod extends Method, TPathPattern extends PathPattern,
 	readonly queryOperations: TOptions extends { queryOperations: infer T } ? T : never;
 	parseJsonQuery(): Promise<{
 		sort: Record<string, 1 | -1>;
+		/**
+		 * @deprecated To access "fields" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+		 */
 		fields: Record<string, 0 | 1>;
+		/**
+		 * @deprecated To access "query" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+		 */
 		query: Record<string, unknown>;
 	}>;
 } & (TOptions extends { authRequired: true }

diff --git a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts
@@ -15,7 +15,13 @@ const pathAllowConf = {
 
 export async function parseJsonQuery(api: PartialThis): Promise<{
 	sort: Record<string, 1 | -1>;
+	/**
+	 * @deprecated To access "fields" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+	 */
 	fields: Record<string, 0 | 1>;
+	/**
+	 * @deprecated To access "query" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+	 */
 	query: Record<string, unknown>;
 }> {
 	const {
@@ -47,10 +53,16 @@ export async function parseJsonQuery(api: PartialThis): Promise<{
 		}
 	}
 
+	// TODO: Remove this once we have all routes migrated to the new API params
+	const hasSupportedRoutes = ([] as string[]).includes(route);
+	const isUnsafeQueryParamsAllowed = process.env.ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS?.toUpperCase() === 'TRUE';
+	const messageGenerator = ({ endpoint, version, parameter }: { endpoint: string; version: string; parameter: string }): string =>
+		`The usage of the "${parameter}" parameter in endpoint "${endpoint}" breaks the security of the API and can lead to data exposure. It has been deprecated and will be removed in the version ${version}.`;
+
 	let fields: Record<string, 0 | 1> | undefined;
-	if (params.fields) {
-		apiDeprecationLogger.parameter(route, 'fields', '7.0.0', response);
+	if (params.fields && (isUnsafeQueryParamsAllowed || !hasSupportedRoutes)) {
 		try {
+			apiDeprecationLogger.parameter(route, 'fields', '8.0.0', response, messageGenerator);
 			fields = JSON.parse(params.fields) as Record<string, 0 | 1>;
 
 			Object.entries(fields).forEach(([key, value]) => {
@@ -99,9 +111,8 @@ export async function parseJsonQuery(api: PartialThis): Promise<{
 	}
 
 	let query: Record<string, any> = {};
-	if (params.query) {
-		apiDeprecationLogger.parameter(route, 'query', '7.0.0', response);
-
+	if (params.query && (isUnsafeQueryParamsAllowed || !hasSupportedRoutes)) {
+		apiDeprecationLogger.parameter(route, 'query', '8.0.0', response, messageGenerator);
 		try {
 			query = ejson.parse(params.query);
 			query = clean(query, pathAllowConf.def);