mirror of
https://github.com/directus/directus.git
synced 2026-04-03 03:00:39 -04:00
Sanitize query in updateByQuery and deleteByQuery (#17649)
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
This commit is contained in:
ian
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, DashboardsService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -102,7 +103,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -160,7 +162,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -14,6 +14,7 @@ import asyncHandler from '../utils/async-handler';
|
||||
|
||||
// @ts-ignore
|
||||
import formatTitle from '@directus/format-title';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -261,7 +262,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -321,7 +323,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -8,6 +8,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, FlowsService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -129,7 +130,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -187,7 +189,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { FoldersService, MetaService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -110,7 +111,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -169,7 +171,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { ItemsService, MetaService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -140,7 +141,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -209,7 +211,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, NotificationsService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -111,7 +112,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -170,7 +172,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, OperationsService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -102,7 +103,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -160,7 +162,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, PanelsService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -102,7 +103,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -160,7 +162,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, PermissionsService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -112,7 +113,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -171,7 +173,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, PresetsService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -111,7 +112,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -170,7 +172,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, RolesService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -103,7 +104,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -162,7 +164,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -9,6 +9,7 @@ import asyncHandler from '../utils/async-handler';
|
||||
import { UUID_REGEX, COOKIE_OPTIONS } from '../constants';
|
||||
import Joi from 'joi';
|
||||
import env from '../env';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -205,7 +206,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -263,7 +265,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -8,6 +8,7 @@ import { AuthenticationService, MetaService, UsersService, RolesService, TFAServ
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { Role } from '@directus/shared/types';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -188,7 +189,8 @@ router.patch(
|
||||
} else if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -247,7 +249,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
@@ -6,6 +6,7 @@ import { validateBatch } from '../middleware/validate-batch';
|
||||
import { MetaService, WebhooksService } from '../services';
|
||||
import { PrimaryKey } from '../types';
|
||||
import asyncHandler from '../utils/async-handler';
|
||||
import { sanitizeQuery } from '../utils/sanitize-query';
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
@@ -100,7 +101,8 @@ router.patch(
|
||||
if (req.body.keys) {
|
||||
keys = await service.updateMany(req.body.keys, req.body.data);
|
||||
} else {
|
||||
keys = await service.updateByQuery(req.body.query, req.body.data);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
keys = await service.updateByQuery(sanitizedQuery, req.body.data);
|
||||
}
|
||||
|
||||
try {
|
||||
@@ -158,7 +160,8 @@ router.delete(
|
||||
} else if (req.body.keys) {
|
||||
await service.deleteMany(req.body.keys);
|
||||
} else {
|
||||
await service.deleteByQuery(req.body.query);
|
||||
const sanitizedQuery = sanitizeQuery(req.body.query, req.accountability);
|
||||
await service.deleteByQuery(sanitizedQuery);
|
||||
}
|
||||
|
||||
return next();
|
||||
|
||||
Reference in New Issue
Block a user