Skip to content

Commit 6b28075

Browse files
committed
Merge pull request #1834 from drew-gross/move-stuff
Move query format validation into Parse Server
2 parents 8b43d26 + c416cad commit 6b28075

File tree

4 files changed

+44
-25
lines changed

4 files changed

+44
-25
lines changed

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -180,11 +180,11 @@ export class MongoStorageAdapter {
180180
// If no objects match, reject with OBJECT_NOT_FOUND. If objects are found and deleted, resolve with undefined.
181181
// If there is some other error, reject with INTERNAL_SERVER_ERROR.
182182

183-
// Currently accepts validate for legacy reasons. Currently accepts the schema, that may not actually be necessary.
184-
deleteObjectsByQuery(className, query, validate, schema) {
183+
// Currently accepts the schema, that may not actually be necessary.
184+
deleteObjectsByQuery(className, query, schema) {
185185
return this.adaptiveCollection(className)
186186
.then(collection => {
187-
let mongoWhere = transform.transformWhere(className, query, { validate }, schema);
187+
let mongoWhere = transform.transformWhere(className, query, schema);
188188
return collection.deleteMany(mongoWhere)
189189
})
190190
.then(({ result }) => {

src/Adapters/Storage/Mongo/MongoTransform.js

Lines changed: 5 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ const valueAsDate = value => {
141141
return false;
142142
}
143143

144-
function transformQueryKeyValue(className, key, value, { validate } = {}, schema) {
144+
function transformQueryKeyValue(className, key, value, schema) {
145145
switch(key) {
146146
case 'createdAt':
147147
if (valueAsDate(value)) {
@@ -167,15 +167,9 @@ function transformQueryKeyValue(className, key, value, { validate } = {}, schema
167167
case '_perishable_token':
168168
case '_email_verify_token': return {key, value}
169169
case '$or':
170-
if (!(value instanceof Array)) {
171-
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $or format - use an array value');
172-
}
173-
return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
170+
return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, schema))};
174171
case '$and':
175-
if (!(value instanceof Array)) {
176-
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $and format - use an array value');
177-
}
178-
return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
172+
return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, schema))};
179173
default:
180174
// Other auth data
181175
const authDataMatch = key.match(/^authData\.([a-zA-Z0-9_]+)\.id$/);
@@ -184,9 +178,6 @@ function transformQueryKeyValue(className, key, value, { validate } = {}, schema
184178
// Special-case auth data.
185179
return {key: `_auth_data_${provider}.id`, value};
186180
}
187-
if (validate && !key.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
188-
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'invalid key name: ' + key);
189-
}
190181
}
191182

192183
const expectedTypeIsArray =
@@ -223,14 +214,10 @@ function transformQueryKeyValue(className, key, value, { validate } = {}, schema
223214
// Main exposed method to help run queries.
224215
// restWhere is the "where" clause in REST API form.
225216
// Returns the mongo form of the query.
226-
// Throws a Parse.Error if the input query is invalid.
227-
function transformWhere(className, restWhere, { validate = true } = {}, schema) {
217+
function transformWhere(className, restWhere, schema) {
228218
let mongoWhere = {};
229-
if (restWhere['ACL']) {
230-
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
231-
}
232219
for (let restKey in restWhere) {
233-
let out = transformQueryKeyValue(className, restKey, restWhere[restKey], { validate }, schema);
220+
let out = transformQueryKeyValue(className, restKey, restWhere[restKey], schema);
234221
mongoWhere[out.key] = out.value;
235222
}
236223
return mongoWhere;

src/Controllers/DatabaseController.js

Lines changed: 35 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,35 @@ function addReadACL(query, acl) {
2424
return newQuery;
2525
}
2626

27+
const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token'];
28+
const validateQuery = query => {
29+
if (query.ACL) {
30+
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
31+
}
32+
33+
if (query.$or) {
34+
if (query.$or instanceof Array) {
35+
query.$or.forEach(validateQuery);
36+
} else {
37+
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $or format - use an array value.');
38+
}
39+
}
40+
41+
if (query.$and) {
42+
if (query.$and instanceof Array) {
43+
query.$and.forEach(validateQuery);
44+
} else {
45+
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Bad $and format - use an array value.');
46+
}
47+
}
48+
49+
Object.keys(query).forEach(key => {
50+
if (!specialQuerykeys.includes(key) && !key.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
51+
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${key}`);
52+
}
53+
});
54+
}
55+
2756
function DatabaseController(adapter, { skipValidation } = {}) {
2857
this.adapter = adapter;
2958

@@ -174,6 +203,7 @@ DatabaseController.prototype.update = function(className, query, update, {
174203
if (acl) {
175204
query = addWriteACL(query, acl);
176205
}
206+
validateQuery(query);
177207
return schemaController.getOneSchema(className)
178208
.catch(error => {
179209
// If the schema doesn't exist, pretend it exists with no fields. This behaviour
@@ -184,7 +214,7 @@ DatabaseController.prototype.update = function(className, query, update, {
184214
throw error;
185215
})
186216
.then(parseFormatSchema => {
187-
var mongoWhere = this.transform.transformWhere(className, query, {validate: !this.skipValidation}, parseFormatSchema);
217+
var mongoWhere = this.transform.transformWhere(className, query, parseFormatSchema);
188218
mongoUpdate = this.transform.transformUpdate(
189219
schemaController,
190220
className,
@@ -328,6 +358,7 @@ DatabaseController.prototype.destroy = function(className, query, { acl } = {})
328358
if (acl) {
329359
query = addWriteACL(query, acl);
330360
}
361+
validateQuery(query);
331362
return schemaController.getOneSchema(className)
332363
.catch(error => {
333364
// If the schema doesn't exist, pretend it exists with no fields. This behaviour
@@ -337,7 +368,7 @@ DatabaseController.prototype.destroy = function(className, query, { acl } = {})
337368
}
338369
throw error;
339370
})
340-
.then(parseFormatSchema => this.adapter.deleteObjectsByQuery(className, query, !this.skipValidation, parseFormatSchema))
371+
.then(parseFormatSchema => this.adapter.deleteObjectsByQuery(className, query, parseFormatSchema))
341372
.catch(error => {
342373
// When deleting sessions while changing passwords, don't throw an error if they don't have any sessions.
343374
if (className === "_Session" && error.code === Parse.Error.OBJECT_NOT_FOUND) {
@@ -668,7 +699,8 @@ DatabaseController.prototype.find = function(className, query, {
668699
if (!isMaster) {
669700
query = addReadACL(query, aclGroup);
670701
}
671-
let mongoWhere = this.transform.transformWhere(className, query, {}, schema);
702+
validateQuery(query);
703+
let mongoWhere = this.transform.transformWhere(className, query, schema);
672704
if (count) {
673705
delete mongoOptions.limit;
674706
return collection.count(mongoWhere, mongoOptions);

src/Routers/GlobalConfigRouter.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ export class GlobalConfigRouter extends PromiseRouter {
2424
return acc;
2525
}, {});
2626
let database = req.config.database.WithoutValidation();
27-
return database.update('_GlobalConfig', {_id: 1}, update, {upsert: true}).then(() => {
27+
return database.update('_GlobalConfig', {objectId: 1}, update, {upsert: true}).then(() => {
2828
return Promise.resolve({ response: { result: true } });
2929
});
3030
}

0 commit comments

Comments
 (0)