From 79f50de95b4cf8ad0060d4f5277e4e43acbea292 Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Tue, 22 Oct 2024 15:53:26 +0530 Subject: [PATCH 1/3] sanitized the required inputs and updated cconfig to run test cases --- src/config.ts | 2 +- src/stack.ts | 36 +++++++++++++++++++++++++++++++++++- test/expressions.ts | 2 +- typings/config.d.ts | 1 - typings/stack.d.ts | 2 ++ 5 files changed, 39 insertions(+), 4 deletions(-) diff --git a/src/config.ts b/src/config.ts index 7cff619..bb417bc 100644 --- a/src/config.ts +++ b/src/config.ts @@ -30,7 +30,7 @@ export const config = { // http://mongodb.github.io/node-mongodb-native/3.1/api/MongoClient.html options: { connectTimeoutMS: 15000, - keepAlive: true, + // keepAlive: true, // keepAlive is not supported in later versions of mongodb noDelay: true, useNewUrlParser: true, }, diff --git a/src/stack.ts b/src/stack.ts index 0c274e6..9d0b80b 100644 --- a/src/stack.ts +++ b/src/stack.ts @@ -2017,6 +2017,9 @@ export class Stack { private async bindLeftoverAssets(queries: IQuery, locale: string, pointerList: IShelf[]) { // const contents = await readFile(getAssetsPath(locale) + '.json') + if (!this.sanitizeIQuery(queries)) { + throw new Error('Invalid queries provided'); + } const filteredAssets = await this.db.collection(getCollectionName({ content_type_uid: this.types.assets, locale, @@ -2096,6 +2099,9 @@ export class Stack { } private async getReferencePath(query, locale, currentInclude) { + if (!this.sanityQueryAny(query)) { + throw new Error('Invalid query provided'); + } const schemas = await this.db.collection(getCollectionName({ content_type_uid: this.types.content_types, locale, @@ -2184,6 +2190,9 @@ export class Stack { private async fetchEntries(query: IQuery, locale: string, paths: string[], include: string[], includeAll: boolean = false) { + if (!this.sanitizeIQuery(query)) { + throw new Error('Invalid queries provided'); + } const result = await this.db.collection(getCollectionName({ content_type_uid: 'entries', locale, @@ -2376,5 +2385,30 @@ export class Stack { paths, } } - // tslint:disable-next-line: max-file-line-count + + private sanitizeIQuery(query: IQuery): boolean { + if (!query || typeof query !== 'object' || Array.isArray(query)) { + return false; + } + if (!query || !Array.isArray(query.$or)) { + return false; + } + for (const item of query.$or) { + if ( + typeof item._content_type_uid !== 'string' || + typeof item.uid !== 'string' || + (item._version && typeof item._version.$exists !== 'boolean') || + (item.locale && typeof item.locale !== 'string') + ) { + return false; + } + } + return true; + } + private sanityQueryAny(query: any): boolean { + if (!query || typeof query !== 'object' || Array.isArray(query)) { + return false; + } + return true; + } } diff --git a/test/expressions.ts b/test/expressions.ts index 5fb5193..9e4e02f 100644 --- a/test/expressions.ts +++ b/test/expressions.ts @@ -90,7 +90,7 @@ describe('# Expressional Operators', () => { test('.regex()', () => { return Stack.contentType('blog') .entries() - .regex('title', '/^Blog Two$/', 'g') + .regex('title', '/^Blog Two$/', 'i') .find() .then((result: any) => { checkEntries(result) diff --git a/typings/config.d.ts b/typings/config.d.ts index 7150361..29600fa 100644 --- a/typings/config.d.ts +++ b/typings/config.d.ts @@ -28,7 +28,6 @@ export declare const config: { locale: string; options: { connectTimeoutMS: number; - keepAlive: boolean; noDelay: boolean; useNewUrlParser: boolean; }; diff --git a/typings/stack.d.ts b/typings/stack.d.ts index 686c76e..534a533 100644 --- a/typings/stack.d.ts +++ b/typings/stack.d.ts @@ -1092,4 +1092,6 @@ export declare class Stack { private bindReferences; private includeAllReferencesIteration; private getAllReferencePaths; + private sanitizeIQuery; + private sanityQueryAny; } From 5e51d9fafd4c26688fb68a42ab18ed535453afa6 Mon Sep 17 00:00:00 2001 From: "harshitha.d" Date: Wed, 23 Oct 2024 18:04:13 +0530 Subject: [PATCH 2/3] removed prettify.js which was causing semgrep issue and included as javascript link in the script tag --- docs/global.html | 2 +- docs/global.html#Stack | 2 +- docs/index.html | 2 +- docs/index.js.html | 2 +- docs/scripts/prettify/prettify.js | 28 ---------------------------- docs/stack.js.html | 2 +- 6 files changed, 5 insertions(+), 33 deletions(-) delete mode 100644 docs/scripts/prettify/prettify.js diff --git a/docs/global.html b/docs/global.html index 88e5e21..8543b16 100644 --- a/docs/global.html +++ b/docs/global.html @@ -4,7 +4,7 @@ JSDoc: Global - +