npm - @balena/pinejs - Versions diffs - 20.0.2-build-compile-in-as-eq-any-cdd3d0c80b63550d7316739dc6050ed1382f8009-1 → 20.0.3-build-avoids-string-multipart-webresources-fields-2035384d89af750273ee83e87a1da5bde562a18a-1 - Mend

@balena/pinejs 20.0.2-build-compile-in-as-eq-any-cdd3d0c80b63550d7316739dc6050ed1382f8009-1 → 20.0.3-build-avoids-string-multipart-webresources-fields-2035384d89af750273ee83e87a1da5bde562a18a-1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/.pinejs-cache.json +1 -1
package/.versionbot/CHANGELOG.yml +32 -3
package/CHANGELOG.md +8 -2
package/VERSION +1 -1
package/docs/Migrations.md +32 -18
package/out/sbvr-api/abstract-sql.js +9 -19
package/out/sbvr-api/abstract-sql.js.map +1 -1
package/out/webresource-handler/index.d.ts +2 -0
package/out/webresource-handler/index.js +29 -17
package/out/webresource-handler/index.js.map +1 -1
package/package.json +5 -5
package/src/sbvr-api/abstract-sql.ts +9 -28
package/src/webresource-handler/index.ts +50 -24

package/src/webresource-handler/index.ts CHANGED Viewed

@@ -63,30 +63,27 @@ export const setupWebresourceHandler = (handler: WebResourceHandler): void => {
 export const getWebresourceHandler = (): WebResourceHandler | undefined => {
 	return configuredWebResourceHandler;
 };
+const notValidUpload = () => Promise.resolve(false);
-const isFileInValidPath = async (
-	fieldname: string,
+const getRequestUploadValidator = async (
 	req: Express.Request,
-): Promise<boolean> => {
+	odataRequest: uriParser.ParsedODataRequest,
+): Promise<(fieldName: string) => Promise<boolean>> => {
 	if (req.method !== 'POST' && req.method !== 'PATCH') {
-		return false;
+		return notValidUpload;
 	}
 	const apiRoot = getApiRoot(req);
 	if (apiRoot == null) {
-		return false;
+		return notValidUpload;
 	}
 	const model = getModel(apiRoot);
-	const odataRequest = uriParser.parseOData({
-		url: req.url,
-		method: req.method,
-	});
 	const sqlResourceName = sbvrUtils.resolveSynonym(odataRequest);
 	const table = model.abstractSql.tables[sqlResourceName];
 	if (table == null) {
-		return false;
+		return notValidUpload;
 	}
 	const permission = req.method === 'POST' ? 'create' : 'update';
@@ -101,20 +98,22 @@ const isFileInValidPath = async (
 	);
 	if (!hasPermissions) {
-		return false;
+		return notValidUpload;
 	}
-	const dbFieldName = odataNameToSqlName(fieldname);
-	return table.fields.some(
-		(field) =>
-			field.fieldName === dbFieldName && field.dataType === 'WebResource',
-	);
+	return async (fieldname: string) => {
+		const dbFieldName = odataNameToSqlName(fieldname);
+		return table.fields.some(
+			(field) =>
+				field.fieldName === dbFieldName && field.dataType === 'WebResource',
+		);
+	};
 };
 export const getUploaderMiddlware = (
 	handler: WebResourceHandler,
 ): Express.RequestHandler => {
-	return (req, res, next) => {
+	return async (req, res, next) => {
 		if (!req.is('multipart')) {
 			next();
 			return;
@@ -125,6 +124,20 @@ export const getUploaderMiddlware = (
 		const bb = busboy({ headers: req.headers });
 		let isAborting = false;
+		const parsedOdataRequest = uriParser.parseOData({
+			url: req.url,
+			method: req.method,
+		});
+		const webResourcesFieldNames = getWebResourceFields(
+			parsedOdataRequest,
+			false,
+		);
+		const isValidUpload = await getRequestUploadValidator(
+			req,
+			parsedOdataRequest,
+		);
 		const finishFileUpload = () => {
 			req.unpipe(bb);
 			req.on('readable', req.read.bind(req));
@@ -152,7 +165,7 @@ export const getUploaderMiddlware = (
 			completeUploads.push(
 				(async () => {
 					try {
-						if (!(await isFileInValidPath(fieldname, req))) {
+						if (!(await isValidUpload(fieldname))) {
 							filestream.resume();
 							return;
 						}
@@ -174,7 +187,10 @@ export const getUploaderMiddlware = (
 						uploadedFilePaths.push(result.filename);
 					} catch (err: any) {
 						filestream.resume();
-						throw err;
+						bb.emit(
+							'error',
+							new errors.BadRequestError(err.message ?? 'Error uploading file'),
+						);
 					}
 				})(),
 			);
@@ -184,6 +200,14 @@ export const getUploaderMiddlware = (
 		// This receives the form fields and transforms them into a standard JSON body
 		// This is a similar behavior as previous multer library did
 		bb.on('field', (name, val) => {
+			if (webResourcesFieldNames.includes(name)) {
+				isAborting = true;
+				bb.emit(
+					'error',
+					new errors.BadRequestError('WebResource field must be a blob.'),
+				);
+				return;
+			}
 			req.body[name] = val;
 		});
@@ -209,7 +233,7 @@ export const getUploaderMiddlware = (
 			}
 		});
-		bb.on('error', async (err) => {
+		bb.on('error', async (err: Error) => {
 			finishFileUpload();
 			await clearFiles();
@@ -221,15 +245,17 @@ export const getUploaderMiddlware = (
 				);
 			}
-			getLogger(getApiRoot(req)).error('Error uploading file', err);
-			next(err);
+			if (!sbvrUtils.handleHttpErrors(req, res, err)) {
+				getLogger(getApiRoot(req)).error('Error uploading file', err);
+				next(err);
+			}
 		});
 		req.pipe(bb);
 	};
 };
-const getWebResourceFields = (
-	request: uriParser.ODataRequest,
+export const getWebResourceFields = (
+	request: uriParser.ParsedODataRequest,
 	useTranslations = true,
 ): string[] => {
 	// Translations will use modifyFields(translated) rather than fields(original) so we need to