github/directus
1
1
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-04-25 03:00:53 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
81e0f4c021b4d2b41b39c381fece7d8fd3f6be4d
directus/api/src/utils/validate-query.ts
Azri Kahar a9b628baa6 Deep merge relational fields in content versions (#21386) 
* deep merge content version saves

* update content version graphql

* moved version merging to its own middleware

* added query param to request the unmodified version

* make sure the App uses the raw version format

* prettier

* removed unused middleware

* initial recursive version merging

* use loop instead of spreading

* cleanup

* accept boolean strings as versionRaw query value

* added middleware sanity check

* initial mergeVersionsRaw tests

* initial mergeVersionsRaw tests

* started merge tests

* initial m2o tests

* initial tests

* fixed logic for initial tests

* prettier

* more tests

* fixed brought up by tests

* first level relational tests

* testing nested relations

* fixed recursiveness

* more prettier

* namin consistency

* the prettiest

* Create chilled-icons-provide.md

* Add breaking change note

* updated graphql for version merging

* prettier

* added new sdk query param

* implemented judds feedback

* Enable singleton

* Slightly reformat/reword breaking change

Thanks @w0kyj!

* Clarify comment about primitive type substitution

Co-authored-by: daedalus <44623501+ComfortablyCoding@users.noreply.github.com>

* replaced for in loops

* applied isObject check

* prettier

* Short issue link

* Update changeset

* added sso guide warning

* pretttier

* update sso guide instead of warning

* prettier

* reverted SSO guide from other PR, nothing to see here

* Added cloneDeep to be safe

* removed snake case

---------

Co-authored-by: Brainslug <tim@brainslug.nl>
Co-authored-by: Brainslug <br41nslug@users.noreply.github.com>
Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
Co-authored-by: daedalus <44623501+ComfortablyCoding@users.noreply.github.com>
2024-03-04 11:57:51 -05:00

249 lines
6.6 KiB
TypeScript
Raw Blame History

import { useEnv } from '@directus/env';
import { InvalidQueryError } from '@directus/errors';
import type { Query } from '@directus/types';
import Joi from 'joi';
import { isPlainObject, uniq } from 'lodash-es';
import { stringify } from 'wellknown';
import { calculateFieldDepth } from './calculate-field-depth.js';
const env = useEnv();
const querySchema = Joi.object({
fields: Joi.array().items(Joi.string()),
group: Joi.array().items(Joi.string()),
sort: Joi.array().items(Joi.string()),
filter: Joi.object({}).unknown(),
limit:
'QUERY_LIMIT_MAX' in env && env['QUERY_LIMIT_MAX'] !== -1
? Joi.number()
.integer()
.min(-1)
.max(env['QUERY_LIMIT_MAX'] as number) // min should be 0
: Joi.number().integer().min(-1),
offset: Joi.number().integer().min(0),
page: Joi.number().integer().min(0),
meta: Joi.array().items(Joi.string().valid('total_count', 'filter_count')),
search: Joi.string(),
export: Joi.string().valid('csv', 'json', 'xml', 'yaml'),
version: Joi.string(),
versionRaw: Joi.boolean(),
aggregate: Joi.object(),
deep: Joi.object(),
alias: Joi.object(),
}).id('query');
export function validateQuery(query: Query): Query {
const { error } = querySchema.validate(query);
if (query.filter && Object.keys(query.filter).length > 0) {
validateFilter(query.filter);
}
if (query.alias) {
validateAlias(query.alias);
}
validateRelationalDepth(query);
if (error) {
throw new InvalidQueryError({ reason: error.message });
}
return query;
}
function validateFilter(filter: Query['filter']) {
if (!filter) throw new InvalidQueryError({ reason: 'Invalid filter object' });
for (const [key, nested] of Object.entries(filter)) {
if (key === '_and' || key === '_or') {
nested.forEach(validateFilter);
} else if (key.startsWith('_')) {
const value = nested;
switch (key) {
case '_in':
case '_nin':
case '_between':
case '_nbetween':
validateList(value, key);
break;
case '_null':
case '_nnull':
case '_empty':
case '_nempty':
validateBoolean(value, key);
break;
case '_intersects':
case '_nintersects':
case '_intersects_bbox':
case '_nintersects_bbox':
validateGeometry(value, key);
break;
case '_none':
case '_some':
validateFilter(nested);
break;
case '_eq':
case '_neq':
case '_contains':
case '_ncontains':
case '_starts_with':
case '_nstarts_with':
case '_istarts_with':
case '_nistarts_with':
case '_ends_with':
case '_nends_with':
case '_iends_with':
case '_niends_with':
case '_gt':
case '_gte':
case '_lt':
case '_lte':
default:
validateFilterPrimitive(value, key);
break;
}
} else if (isPlainObject(nested)) {
validateFilter(nested);
} else if (Array.isArray(nested) === false) {
validateFilterPrimitive(nested, '_eq');
} else {
// @ts-ignore TODO Check which case this is supposed to cover
validateFilter(nested);
}
}
}
function validateFilterPrimitive(value: any, key: string) {
if (value === null) return true;
if (
(typeof value === 'string' || typeof value === 'number' || typeof value === 'boolean' || value instanceof Date) ===
false
) {
throw new InvalidQueryError({ reason: `The filter value for "${key}" has to be a string, number, or boolean` });
}
if (typeof value === 'number' && (Number.isNaN(value) || value > Number.MAX_SAFE_INTEGER)) {
throw new InvalidQueryError({ reason: `The filter value for "${key}" is not a valid number` });
}
if (typeof value === 'string' && value.length === 0) {
throw new InvalidQueryError({
reason: `You can't filter for an empty string in "${key}". Use "_empty" or "_nempty" instead`,
});
}
return true;
}
function validateList(value: any, key: string) {
if (Array.isArray(value) === false || value.length === 0) {
throw new InvalidQueryError({ reason: `"${key}" has to be an array of values` });
}
return true;
}
export function validateBoolean(value: any, key: string) {
if (value === null || value === '') return true;
if (typeof value !== 'boolean') {
throw new InvalidQueryError({ reason: `"${key}" has to be a boolean` });
}
return true;
}
export function validateGeometry(value: any, key: string) {
if (value === null || value === '') return true;
try {
stringify(value);
} catch {
throw new InvalidQueryError({ reason: `"${key}" has to be a valid GeoJSON object` });
}
return true;
}
function validateAlias(alias: any) {
if (isPlainObject(alias) === false) {
throw new InvalidQueryError({ reason: `"alias" has to be an object` });
}
for (const [key, value] of Object.entries(alias)) {
if (typeof key !== 'string') {
throw new InvalidQueryError({ reason: `"alias" key has to be a string. "${typeof key}" given` });
}
if (typeof value !== 'string') {
throw new InvalidQueryError({ reason: `"alias" value has to be a string. "${typeof key}" given` });
}
if (key.includes('.') || value.includes('.')) {
throw new InvalidQueryError({ reason: `"alias" key/value can't contain a period character \`.\`` });
}
}
}
function validateRelationalDepth(query: Query) {
const maxRelationalDepth = Number(env['MAX_RELATIONAL_DEPTH']) > 2 ? Number(env['MAX_RELATIONAL_DEPTH']) : 2;
// Process the fields in the same way as api/src/utils/get-ast-from-query.ts
let fields = ['*'];
if (query.fields) {
fields = query.fields;
}
/**
* When using aggregate functions, you can't have any other regular fields
* selected. This makes sure you never end up in a non-aggregate fields selection error
*/
if (Object.keys(query.aggregate || {}).length > 0) {
fields = [];
}
/**
* Similarly, when grouping on a specific field, you can't have other non-aggregated fields.
* The group query will override the fields query
*/
if (query.group) {
fields = query.group;
}
fields = uniq(fields);
for (const field of fields) {
if (field.split('.').length > maxRelationalDepth) {
throw new InvalidQueryError({ reason: 'Max relational depth exceeded' });
}
}
if (query.filter) {
const filterRelationalDepth = calculateFieldDepth(query.filter);
if (filterRelationalDepth > maxRelationalDepth) {
throw new InvalidQueryError({ reason: 'Max relational depth exceeded' });
}
}
if (query.sort) {
for (const sort of query.sort) {
if (sort.split('.').length > maxRelationalDepth) {
throw new InvalidQueryError({ reason: 'Max relational depth exceeded' });
}
}
}
if (query.deep) {
const deepRelationalDepth = calculateFieldDepth(query.deep, ['_sort']);
if (deepRelationalDepth > maxRelationalDepth) {
throw new InvalidQueryError({ reason: 'Max relational depth exceeded' });
}
}
}
Reference in New Issue View Git Blame Copy Permalink