@carbonorm/carbonnode 4.0.0 → 5.0.0

package/dist/index.d.ts

@@ -36,6 +36,7 @@ export * from "./api/utils/determineRuntimeJsType";
 export * from "./api/utils/logger";
 export * from "./api/utils/normalizeSingularRequest";
 export * from "./api/utils/sortAndSerializeQueryObject";
+export * from "./api/utils/sqlAllowList";
 export * from "./api/utils/testHelpers";
 export * from "./api/utils/toastNotifier";
 export * from "./variables/getEnvVar";

package/dist/index.esm.js

@@ -1824,8 +1824,9 @@ var ConditionBuilder = /** @class */ (function (_super) {
         }
         throw new Error('Unsupported operand type in SQL expression.');
     };
-    ConditionBuilder.prototype.isPlainArrayLiteral = function (value) {
+    ConditionBuilder.prototype.isPlainArrayLiteral = function (value, allowColumnRefs) {
         var _this = this;
+        if (allowColumnRefs === void 0) { allowColumnRefs = false; }
         if (!Array.isArray(value))
             return false;
         return value.every(function (item) {
@@ -1835,14 +1836,15 @@ var ConditionBuilder = /** @class */ (function (_super) {
             if (type === 'string' || type === 'number' || type === 'boolean')
                 return true;
             if (Array.isArray(item))
-                return _this.isPlainArrayLiteral(item);
+                return _this.isPlainArrayLiteral(item, allowColumnRefs);
             if (item && typeof item === 'object')
-                return _this.isPlainObjectLiteral(item);
+                return _this.isPlainObjectLiteral(item, allowColumnRefs);
             return false;
         });
     };
-    ConditionBuilder.prototype.isPlainObjectLiteral = function (value) {
+    ConditionBuilder.prototype.isPlainObjectLiteral = function (value, allowColumnRefs) {
         var _this = this;
+        if (allowColumnRefs === void 0) { allowColumnRefs = false; }
         if (!value || typeof value !== 'object' || Array.isArray(value))
             return false;
         if (value instanceof Date)
@@ -1861,17 +1863,37 @@ var ConditionBuilder = /** @class */ (function (_super) {
         })) {
             return false;
         }
-        if (entries.some(function (_a) {
-            var key = _a[0];
-            return typeof key === 'string' && (_this.isColumnRef(key) || key.includes('.'));
-        })) {
-            return false;
+        if (!allowColumnRefs) {
+            if (entries.some(function (_a) {
+                var key = _a[0];
+                return typeof key === 'string' && (_this.isColumnRef(key) || key.includes('.'));
+            })) {
+                return false;
+            }
         }
         return true;
     };
+    ConditionBuilder.prototype.resolveColumnDefinition = function (column) {
+        var _a, _b, _c, _d;
+        if (!column || typeof column !== 'string' || !column.includes('.'))
+            return undefined;
+        var _e = column.split('.', 2), prefix = _e[0], colName = _e[1];
+        var tableName = (_a = this.aliasMap[prefix]) !== null && _a !== void 0 ? _a : prefix;
+        var table = (_c = (_b = this.config.C6) === null || _b === void 0 ? void 0 : _b.TABLES) === null || _c === void 0 ? void 0 : _c[tableName];
+        if (!(table === null || table === void 0 ? void 0 : table.TYPE_VALIDATION))
+            return undefined;
+        return (_d = table.TYPE_VALIDATION[colName]) !== null && _d !== void 0 ? _d : table.TYPE_VALIDATION["".concat(tableName, ".").concat(colName)];
+    };
+    ConditionBuilder.prototype.isJsonColumn = function (column) {
+        var columnDef = this.resolveColumnDefinition(column);
+        var mysqlType = columnDef === null || columnDef === void 0 ? void 0 : columnDef.MYSQL_TYPE;
+        return typeof mysqlType === 'string' && mysqlType.toLowerCase().includes('json');
+    };
     ConditionBuilder.prototype.serializeUpdateValue = function (value, params, contextColumn) {
         var normalized = value instanceof Map ? Object.fromEntries(value) : value;
-        if (this.isPlainArrayLiteral(normalized) || this.isPlainObjectLiteral(normalized)) {
+        var allowColumnRefs = this.isJsonColumn(contextColumn);
+        if (this.isPlainArrayLiteral(normalized, allowColumnRefs)
+            || this.isPlainObjectLiteral(normalized, allowColumnRefs)) {
             return this.addParam(params, contextColumn !== null && contextColumn !== void 0 ? contextColumn : '', JSON.stringify(normalized));
         }
         var _a = this.serializeOperand(normalized, params, contextColumn), sql = _a.sql, isReference = _a.isReference, isExpression = _a.isExpression, isSubSelect = _a.isSubSelect;
@@ -2938,6 +2960,63 @@ function normalizeSingularRequest(requestMethod, request, restModel, removedPrim
     return __assign(__assign({}, normalized), { dataInsertMultipleRows: dataInsertMultipleRows, cacheResults: cacheResults, fetchDependencies: fetchDependencies, debug: debug, success: success, error: error });
 }
 
+var allowListCache = new Map();
+var normalizeSql = function (sql) {
+    return sql.replace(/\s+/g, " ").trim();
+};
+var parseAllowList = function (raw, sourcePath) {
+    var parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (error) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " is not valid JSON."));
+    }
+    if (!Array.isArray(parsed)) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " must be a JSON array of strings."));
+    }
+    var sqlEntries = parsed
+        .filter(function (entry) { return typeof entry === "string"; })
+        .map(normalizeSql)
+        .filter(function (entry) { return entry.length > 0; });
+    if (sqlEntries.length !== parsed.length) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " must contain only string entries."));
+    }
+    return sqlEntries;
+};
+var loadSqlAllowList = function (allowListPath) { return __awaiter(void 0, void 0, void 0, function () {
+    var readFile, raw, sqlEntries, allowList;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                if (allowListCache.has(allowListPath)) {
+                    return [2 /*return*/, allowListCache.get(allowListPath)];
+                }
+                if (!isNode()) {
+                    throw new Error("SQL allowlist validation requires a Node runtime.");
+                }
+                return [4 /*yield*/, import('node:fs/promises')];
+            case 1:
+                readFile = (_a.sent()).readFile;
+                _a.label = 2;
+            case 2:
+                _a.trys.push([2, 4, , 5]);
+                return [4 /*yield*/, readFile(allowListPath, "utf-8")];
+            case 3:
+                raw = _a.sent();
+                return [3 /*break*/, 5];
+            case 4:
+                _a.sent();
+                throw new Error("SQL allowlist file not found at ".concat(allowListPath, "."));
+            case 5:
+                sqlEntries = parseAllowList(raw, allowListPath);
+                allowList = new Set(sqlEntries);
+                allowListCache.set(allowListPath, allowList);
+                return [2 /*return*/, allowList];
+        }
+    });
+}); };
+
 var SqlExecutor = /** @class */ (function (_super) {
     __extends(SqlExecutor, _super);
     function SqlExecutor() {
@@ -2970,10 +3049,10 @@ var SqlExecutor = /** @class */ (function (_super) {
                         switch (_a) {
                             case 'GET': return [3 /*break*/, 1];
                             case 'POST': return [3 /*break*/, 3];
-                            case 'PUT': return [3 /*break*/, 5];
-                            case 'DELETE': return [3 /*break*/, 7];
+                            case 'PUT': return [3 /*break*/, 6];
+                            case 'DELETE': return [3 /*break*/, 9];
                         }
-                        return [3 /*break*/, 9];
+                        return [3 /*break*/, 12];
                     case 1: return [4 /*yield*/, this.runQuery()];
                     case 2:
                         rest = _b.sent();
@@ -2981,16 +3060,25 @@ var SqlExecutor = /** @class */ (function (_super) {
                     case 3: return [4 /*yield*/, this.runQuery()];
                     case 4:
                         result = _b.sent();
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
+                    case 5:
+                        _b.sent();
                         return [2 /*return*/, result];
-                    case 5: return [4 /*yield*/, this.runQuery()];
-                    case 6:
+                    case 6: return [4 /*yield*/, this.runQuery()];
+                    case 7:
                         result = _b.sent();
-                        return [2 /*return*/, result];
-                    case 7: return [4 /*yield*/, this.runQuery()];
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
                     case 8:
+                        _b.sent();
+                        return [2 /*return*/, result];
+                    case 9: return [4 /*yield*/, this.runQuery()];
+                    case 10:
                         result = _b.sent();
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
+                    case 11:
+                        _b.sent();
                         return [2 /*return*/, result];
-                    case 9: throw new Error("Unsupported request method: ".concat(method));
+                    case 12: throw new Error("Unsupported request method: ".concat(method));
                 }
             });
         });
@@ -3051,6 +3139,149 @@ var SqlExecutor = /** @class */ (function (_super) {
             return "'".concat(val.toISOString().slice(0, 19).replace('T', ' '), "'");
         return "'".concat(JSON.stringify(val), "'");
     };
+    SqlExecutor.prototype.stripRequestMetadata = function (source) {
+        var ignoredKeys = new Set([
+            C6Constants.SELECT,
+            C6Constants.UPDATE,
+            C6Constants.DELETE,
+            C6Constants.WHERE,
+            C6Constants.JOIN,
+            C6Constants.PAGINATION,
+            C6Constants.INSERT,
+            C6Constants.REPLACE,
+            "dataInsertMultipleRows",
+            "cacheResults",
+            "fetchDependencies",
+            "debug",
+            "success",
+            "error",
+        ]);
+        var filtered = {};
+        for (var _i = 0, _a = Object.entries(source); _i < _a.length; _i++) {
+            var _b = _a[_i], key = _b[0], value = _b[1];
+            if (!ignoredKeys.has(key)) {
+                filtered[key] = value;
+            }
+        }
+        return filtered;
+    };
+    SqlExecutor.prototype.normalizeRequestPayload = function (source) {
+        var _a;
+        var columns = this.config.restModel.COLUMNS;
+        var validColumns = new Set(Object.values(columns));
+        var normalized = {};
+        for (var _i = 0, _b = Object.entries(source); _i < _b.length; _i++) {
+            var _c = _b[_i], key = _c[0], value = _c[1];
+            var shortKey = (_a = columns[key]) !== null && _a !== void 0 ? _a : (key.includes(".") ? key.split(".").pop() : key);
+            if (validColumns.has(shortKey)) {
+                normalized[shortKey] = value;
+            }
+        }
+        return normalized;
+    };
+    SqlExecutor.prototype.extractRequestBody = function () {
+        var _a, _b;
+        var request = this.request;
+        if (this.config.requestMethod === C6Constants.POST) {
+            if (Array.isArray(request.dataInsertMultipleRows) && request.dataInsertMultipleRows.length > 0) {
+                return request.dataInsertMultipleRows[0];
+            }
+            if (C6Constants.INSERT in request) {
+                return (_a = request[C6Constants.INSERT]) !== null && _a !== void 0 ? _a : {};
+            }
+            if (C6Constants.REPLACE in request) {
+                return (_b = request[C6Constants.REPLACE]) !== null && _b !== void 0 ? _b : {};
+            }
+            return this.stripRequestMetadata(request);
+        }
+        if (this.config.requestMethod === C6Constants.PUT) {
+            if (request[C6Constants.UPDATE] && typeof request[C6Constants.UPDATE] === "object") {
+                return request[C6Constants.UPDATE];
+            }
+            return this.stripRequestMetadata(request);
+        }
+        return {};
+    };
+    SqlExecutor.prototype.extractPrimaryKeyValues = function () {
+        var _a, _b, _c;
+        var request = this.request;
+        var where = request === null || request === void 0 ? void 0 : request[C6Constants.WHERE];
+        var sources = [request, (where && typeof where === "object" && !Array.isArray(where)) ? where : undefined];
+        var columns = this.config.restModel.COLUMNS;
+        var primaryShorts = (_a = this.config.restModel.PRIMARY_SHORT) !== null && _a !== void 0 ? _a : [];
+        var primaryFulls = (_b = this.config.restModel.PRIMARY) !== null && _b !== void 0 ? _b : [];
+        var pkValues = {};
+        var _loop_1 = function (pkShort) {
+            var value = undefined;
+            for (var _d = 0, sources_1 = sources; _d < sources_1.length; _d++) {
+                var source = sources_1[_d];
+                if (source && pkShort in source) {
+                    value = source[pkShort];
+                    break;
+                }
+            }
+            if (value === undefined) {
+                var fullKey = (_c = primaryFulls.find(function (key) { return key.endsWith("." + pkShort); })) !== null && _c !== void 0 ? _c : Object.keys(columns).find(function (key) { return columns[key] === pkShort; });
+                if (fullKey) {
+                    for (var _e = 0, sources_2 = sources; _e < sources_2.length; _e++) {
+                        var source = sources_2[_e];
+                        if (source && fullKey in source) {
+                            value = source[fullKey];
+                            break;
+                        }
+                    }
+                }
+            }
+            if (value !== undefined) {
+                pkValues[pkShort] = value;
+            }
+        };
+        for (var _i = 0, primaryShorts_1 = primaryShorts; _i < primaryShorts_1.length; _i++) {
+            var pkShort = primaryShorts_1[_i];
+            _loop_1(pkShort);
+        }
+        if (primaryShorts.length > 0 && Object.keys(pkValues).length < primaryShorts.length) {
+            return null;
+        }
+        return Object.keys(pkValues).length > 0 ? pkValues : null;
+    };
+    SqlExecutor.prototype.broadcastWebsocketIfConfigured = function () {
+        return __awaiter(this, void 0, void 0, function () {
+            var broadcast, payload, error_1;
+            var _a, _b;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        broadcast = this.config.websocketBroadcast;
+                        if (!broadcast || this.config.requestMethod === C6Constants.GET)
+                            return [2 /*return*/];
+                        payload = {
+                            REST: {
+                                TABLE_NAME: this.config.restModel.TABLE_NAME,
+                                TABLE_PREFIX: (_b = (_a = this.config.C6) === null || _a === void 0 ? void 0 : _a.PREFIX) !== null && _b !== void 0 ? _b : "",
+                                METHOD: this.config.requestMethod,
+                                REQUEST: this.normalizeRequestPayload(this.extractRequestBody()),
+                                REQUEST_PRIMARY_KEY: this.extractPrimaryKeyValues(),
+                            },
+                        };
+                        _c.label = 1;
+                    case 1:
+                        _c.trys.push([1, 3, , 4]);
+                        return [4 /*yield*/, broadcast(payload)];
+                    case 2:
+                        _c.sent();
+                        return [3 /*break*/, 4];
+                    case 3:
+                        error_1 = _c.sent();
+                        if (this.config.verbose) {
+                            console.error("[SQL EXECUTOR] websocketBroadcast failed", error_1);
+                        }
+                        return [3 /*break*/, 4];
+                    case 4: return [2 /*return*/];
+                }
+            });
+        });
+    };
     SqlExecutor.prototype.runQuery = function () {
         return __awaiter(this, void 0, void 0, function () {
             var TABLE_NAME, method, builder, QueryResult, formatted, toUnnamed, _a, sql, values;
@@ -3082,6 +3313,9 @@ var SqlExecutor = /** @class */ (function (_super) {
                         this.config.verbose && console.log("[SQL EXECUTOR] \uD83E\uDDE0 Formatted ".concat(method.toUpperCase(), " SQL:"), formatted);
                         toUnnamed = namedPlaceholders();
                         _a = toUnnamed(QueryResult.sql, QueryResult.params), sql = _a[0], values = _a[1];
+                        return [4 /*yield*/, this.validateSqlAllowList(sql)];
+                    case 1:
+                        _b.sent();
                         return [4 /*yield*/, this.withConnection(function (conn) { return __awaiter(_this, void 0, void 0, function () {
                                 var result;
                                 return __generator(this, function (_a) {
@@ -3106,7 +3340,29 @@ var SqlExecutor = /** @class */ (function (_super) {
                                     }
                                 });
                             }); })];
-                    case 1: return [2 /*return*/, _b.sent()];
+                    case 2: return [2 /*return*/, _b.sent()];
+                }
+            });
+        });
+    };
+    SqlExecutor.prototype.validateSqlAllowList = function (sql) {
+        return __awaiter(this, void 0, void 0, function () {
+            var allowListPath, allowList, normalized;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        allowListPath = this.config.sqlAllowListPath;
+                        if (!allowListPath) {
+                            return [2 /*return*/];
+                        }
+                        return [4 /*yield*/, loadSqlAllowList(allowListPath)];
+                    case 1:
+                        allowList = _a.sent();
+                        normalized = normalizeSql(sql);
+                        if (!allowList.has(normalized)) {
+                            throw new Error("SQL statement is not permitted by allowlist (".concat(allowListPath, ")."));
+                        }
+                        return [2 /*return*/];
                 }
             });
         });
@@ -3123,7 +3379,7 @@ var SqlExecutor$1 = /*#__PURE__*/Object.freeze({
 // note sure how it would help anyone actually...
 function ExpressHandler(_a) {
     var _this = this;
-    var C6 = _a.C6, mysqlPool = _a.mysqlPool;
+    var C6 = _a.C6, mysqlPool = _a.mysqlPool, sqlAllowListPath = _a.sqlAllowListPath;
     return function (req, res, next) { return __awaiter(_this, void 0, void 0, function () {
         var incomingMethod, table, primary, methodOverrideRaw, methodOverride, treatAsGet, method, payload, restModel, primaryKeys_1, primaryShortKeys_1, columnMap_1, resolveShortKey_1, hasPrimaryKeyValues, primaryKeyName, response, err_1;
         var _a, _b, _c, _d, _e, _f, _g;
@@ -3209,6 +3465,7 @@ function ExpressHandler(_a) {
                     return [4 /*yield*/, restRequest({
                             C6: C6,
                             mysqlPool: mysqlPool,
+                            sqlAllowListPath: sqlAllowListPath,
                             requestMethod: method,
                             restModel: C6.TABLES[table]
                         })(payload)];
@@ -3327,5 +3584,5 @@ function isVerbose () {
     return ['true', '1', 'yes', 'on'].includes(envVerbose.toLowerCase());
 }
 
-export { A, AggregateBuilder, C6C, C6Constants, ConditionBuilder, DELETE, DeleteQueryBuilder, Executor, ExpressHandler, F, GET, HttpExecutor, JoinBuilder, POST, PUT, PaginationBuilder, PostQueryBuilder, SelectQueryBuilder, SqlExecutor, TestRestfulResponse, UpdateQueryBuilder, apiRequestCache, axiosInstance, bbox, carbonNodeQsStringify, checkAllRequestsComplete, checkCache, clearCache, convertForRequestBody, convertHexIfBinary, derivedTable, determineRuntimeJsType, distSphere, eFetchDependencies, error, fieldEq, getEnvVar, getPrimaryKeyTypes, group, info, isDerivedTableKey, isLocal, isNode, isTest, isVerbose, normalizeSingularRequest, onError, onSuccess, removeInvalidKeys, removePrefixIfExists, resolveDerivedTable, restOrm, restRequest, setCache, sortAndSerializeQueryObject, stContains, timeout, toastOptions, toastOptionsDevs, userCustomClearCache, warn };
+export { A, AggregateBuilder, C6C, C6Constants, ConditionBuilder, DELETE, DeleteQueryBuilder, Executor, ExpressHandler, F, GET, HttpExecutor, JoinBuilder, POST, PUT, PaginationBuilder, PostQueryBuilder, SelectQueryBuilder, SqlExecutor, TestRestfulResponse, UpdateQueryBuilder, apiRequestCache, axiosInstance, bbox, carbonNodeQsStringify, checkAllRequestsComplete, checkCache, clearCache, convertForRequestBody, convertHexIfBinary, derivedTable, determineRuntimeJsType, distSphere, eFetchDependencies, error, fieldEq, getEnvVar, getPrimaryKeyTypes, group, info, isDerivedTableKey, isLocal, isNode, isTest, isVerbose, loadSqlAllowList, normalizeSingularRequest, normalizeSql, onError, onSuccess, removeInvalidKeys, removePrefixIfExists, resolveDerivedTable, restOrm, restRequest, setCache, sortAndSerializeQueryObject, stContains, timeout, toastOptions, toastOptionsDevs, userCustomClearCache, warn };
 //# sourceMappingURL=index.esm.js.map