@mikro-orm/core 7.0.0-dev.33 → 7.0.0-dev.331

package/metadata/MetadataValidator.js

@@ -1,23 +1,33 @@
 import { Utils } from '../utils/Utils.js';
 import { MetadataError } from '../errors.js';
 import { ReferenceKind } from '../enums.js';
+/**
+ * List of property names that could lead to prototype pollution vulnerabilities.
+ * These names should never be used as entity property names because they could
+ * allow malicious code to modify object prototypes when property values are assigned.
+ *
+ * - `__proto__`: Could modify the prototype chain
+ * - `constructor`: Could modify the constructor property
+ * - `prototype`: Could modify the prototype object
+ *
+ * @internal
+ */
+const DANGEROUS_PROPERTY_NAMES = ['__proto__', 'constructor', 'prototype'];
 /**
  * @internal
  */
 export class MetadataValidator {
-    /**
-     * Validate there is only one property decorator. This disallows using `@Property()` together with e.g. `@ManyToOne()`
-     * on the same property. One should use only `@ManyToOne()` in such case.
-     * We allow the existence of the property in metadata if the reference type is the same, this should allow things like HMR to work.
-     */
-    static validateSingleDecorator(meta, propertyName, reference) {
-        if (meta.properties[propertyName] && meta.properties[propertyName].kind !== reference) {
-            throw MetadataError.multipleDecorators(meta.className, propertyName);
-        }
-    }
     validateEntityDefinition(metadata, name, options) {
         const meta = metadata.get(name);
-        if (meta.virtual || meta.expression) {
+        // View entities (expression with view flag) behave like regular tables but are read-only
+        // They can have primary keys and are created as actual database views
+        if (meta.view) {
+            this.validateViewEntity(meta);
+            return;
+        }
+        // Virtual entities (expression without view flag) have restrictions - no PKs, limited relation types
+        // Note: meta.virtual is set later in sync(), so we check for expression && !view here
+        if (meta.virtual || (meta.expression && !meta.view)) {
             for (const prop of Utils.values(meta.properties)) {
                 if (![ReferenceKind.SCALAR, ReferenceKind.EMBEDDED, ReferenceKind.MANY_TO_ONE, ReferenceKind.ONE_TO_ONE].includes(prop.kind)) {
                     throw new MetadataError(`Only scalars, embedded properties and to-many relations are allowed inside virtual entity. Found '${prop.kind}' in ${meta.className}.${prop.name}`);
@@ -36,13 +46,14 @@ export class MetadataValidator {
         this.validateDuplicateFieldNames(meta, options);
         this.validateIndexes(meta, meta.indexes ?? [], 'index');
         this.validateIndexes(meta, meta.uniques ?? [], 'unique');
+        this.validatePropertyNames(meta);
         for (const prop of Utils.values(meta.properties)) {
             if (prop.kind !== ReferenceKind.SCALAR) {
-                this.validateReference(meta, prop, metadata, options);
-                this.validateBidirectional(meta, prop, metadata);
+                this.validateReference(meta, prop, options);
+                this.validateBidirectional(meta, prop);
             }
-            else if (metadata.has(prop.type)) {
-                throw MetadataError.propertyTargetsEntityType(meta, prop, metadata.get(prop.type));
+            else if (metadata.getByClassName(prop.type, false)) {
+                throw MetadataError.propertyTargetsEntityType(meta, prop, metadata.getByClassName(prop.type));
             }
         }
     }
@@ -50,17 +61,19 @@ export class MetadataValidator {
         if (discovered.length === 0 && options.warnWhenNoEntities) {
             throw MetadataError.noEntityDiscovered();
         }
-        const duplicates = Utils.findDuplicates(discovered.map(meta => meta.className));
-        if (duplicates.length > 0 && options.checkDuplicateEntities) {
-            throw MetadataError.duplicateEntityDiscovered(duplicates);
-        }
-        const tableNames = discovered.filter(meta => !meta.abstract && meta === meta.root && (meta.tableName || meta.collection) && meta.schema !== '*');
+        // Validate no mixing of STI and TPT in the same hierarchy
+        this.validateInheritanceStrategies(discovered);
+        const tableNames = discovered.filter(meta => !meta.abstract &&
+            !meta.embeddable &&
+            meta === meta.root &&
+            (meta.tableName || meta.collection) &&
+            meta.schema !== '*');
         const duplicateTableNames = Utils.findDuplicates(tableNames.map(meta => {
             const tableName = meta.tableName || meta.collection;
             return (meta.schema ? '.' + meta.schema : '') + tableName;
         }));
-        if (duplicateTableNames.length > 0 && options.checkDuplicateTableNames && options.checkDuplicateEntities) {
-            throw MetadataError.duplicateEntityDiscovered(duplicateTableNames, 'table names');
+        if (duplicateTableNames.length > 0 && options.checkDuplicateTableNames) {
+            throw MetadataError.duplicateEntityDiscovered(duplicateTableNames);
         }
         // validate we found at least one entity (not just abstract/base entities)
         if (discovered.filter(meta => meta.name).length === 0 && options.warnWhenNoEntities) {
@@ -71,7 +84,7 @@ export class MetadataValidator {
             .replace(/\[]$/, '') // remove array suffix
             .replace(/\((.*)\)/, '$1'); // unwrap union types
         const name = (p) => {
-            if (typeof p === 'function') {
+            if (typeof p === 'function' && !p.prototype) {
                 return Utils.className(p());
             }
             return Utils.className(p);
@@ -79,7 +92,10 @@ export class MetadataValidator {
         const pivotProps = new Map();
         // check for not discovered entities
         discovered.forEach(meta => Object.values(meta.properties).forEach(prop => {
-            if (prop.kind !== ReferenceKind.SCALAR && !unwrap(prop.type).split(/ ?\| ?/).every(type => discovered.find(m => m.className === type))) {
+            if (prop.kind !== ReferenceKind.SCALAR &&
+                !unwrap(prop.type)
+                    .split(/ ?\| ?/)
+                    .every(type => discovered.find(m => m.className === type))) {
                 throw MetadataError.fromUnknownEntity(prop.type, `${meta.className}.${prop.name}`);
             }
             if (prop.pivotEntity) {
@@ -95,47 +111,137 @@ export class MetadataValidator {
             }
         });
     }
-    validateReference(meta, prop, metadata, options) {
+    validateReference(meta, prop, options) {
         // references do have types
         if (!prop.type) {
             throw MetadataError.fromWrongTypeDefinition(meta, prop);
         }
-        const targetMeta = metadata.find(prop.type);
+        // Polymorphic relations have multiple targets, validate PK compatibility
+        if (prop.polymorphic && prop.polymorphTargets) {
+            this.validatePolymorphicTargets(meta, prop);
+            return;
+        }
+        const targetMeta = prop.targetMeta;
         // references do have type of known entity
         if (!targetMeta) {
             throw MetadataError.fromWrongTypeDefinition(meta, prop);
         }
-        if (targetMeta.abstract && !targetMeta.discriminatorColumn && !targetMeta.embeddable) {
+        if (targetMeta.abstract && !targetMeta.root?.inheritanceType && !targetMeta.embeddable) {
             throw MetadataError.targetIsAbstract(meta, prop);
         }
-        if ([ReferenceKind.MANY_TO_ONE, ReferenceKind.ONE_TO_ONE].includes(prop.kind) && prop.persist === false && targetMeta.compositePK && options.checkNonPersistentCompositeProps) {
+        if ([ReferenceKind.MANY_TO_ONE, ReferenceKind.ONE_TO_ONE].includes(prop.kind) &&
+            prop.persist === false &&
+            targetMeta.compositePK &&
+            options.checkNonPersistentCompositeProps) {
             throw MetadataError.nonPersistentCompositeProp(meta, prop);
         }
+        this.validateTargetKey(meta, prop, targetMeta);
+    }
+    validateTargetKey(meta, prop, targetMeta) {
+        if (!prop.targetKey) {
+            return;
+        }
+        // targetKey is not supported for ManyToMany relations
+        if (prop.kind === ReferenceKind.MANY_TO_MANY) {
+            throw MetadataError.targetKeyOnManyToMany(meta, prop);
+        }
+        // targetKey must point to an existing property
+        const targetProp = targetMeta.properties[prop.targetKey];
+        if (!targetProp) {
+            throw MetadataError.targetKeyNotFound(meta, prop);
+        }
+        // targetKey must point to a unique property (composite unique is not sufficient)
+        if (!this.isPropertyUnique(targetProp, targetMeta)) {
+            throw MetadataError.targetKeyNotUnique(meta, prop);
+        }
+    }
+    /**
+     * Checks if a property has a unique constraint (either via `unique: true` or single-property `@Unique` decorator).
+     * Composite unique constraints are not sufficient for targetKey.
+     */
+    isPropertyUnique(prop, meta) {
+        if (prop.unique) {
+            return true;
+        }
+        // Check for single-property unique constraint via @Unique decorator
+        return !!meta.uniques?.some(u => {
+            const props = Utils.asArray(u.properties);
+            return props.length === 1 && props[0] === prop.name && !u.options;
+        });
+    }
+    validatePolymorphicTargets(meta, prop) {
+        const targets = prop.polymorphTargets;
+        // Validate targetKey exists and is compatible across all targets
+        if (prop.targetKey) {
+            for (const target of targets) {
+                const targetProp = target.properties[prop.targetKey];
+                if (!targetProp) {
+                    throw MetadataError.targetKeyNotFound(meta, prop, target);
+                }
+                // targetKey must point to a unique property (composite unique is not sufficient)
+                if (!this.isPropertyUnique(targetProp, target)) {
+                    throw MetadataError.targetKeyNotUnique(meta, prop, target);
+                }
+            }
+        }
+        const firstPKs = targets[0].getPrimaryProps();
+        for (let i = 1; i < targets.length; i++) {
+            const target = targets[i];
+            const targetPKs = target.getPrimaryProps();
+            if (targetPKs.length !== firstPKs.length) {
+                throw MetadataError.incompatiblePolymorphicTargets(meta, prop, targets[0], target, 'different number of primary keys');
+            }
+            for (let j = 0; j < firstPKs.length; j++) {
+                const firstPK = firstPKs[j];
+                const targetPK = targetPKs[j];
+                if (firstPK.runtimeType !== targetPK.runtimeType) {
+                    throw MetadataError.incompatiblePolymorphicTargets(meta, prop, targets[0], target, `incompatible primary key types: ${firstPK.name} (${firstPK.runtimeType}) vs ${targetPK.name} (${targetPK.runtimeType})`);
+                }
+            }
+        }
     }
-    validateBidirectional(meta, prop, metadata) {
+    validateBidirectional(meta, prop) {
         if (prop.inversedBy) {
-            const inverse = metadata.get(prop.type).properties[prop.inversedBy];
-            this.validateOwningSide(meta, prop, inverse, metadata);
+            this.validateOwningSide(meta, prop);
         }
         else if (prop.mappedBy) {
-            const inverse = metadata.get(prop.type).properties[prop.mappedBy];
-            this.validateInverseSide(meta, prop, inverse, metadata);
+            this.validateInverseSide(meta, prop);
         }
-        else {
+        else if (prop.kind === ReferenceKind.ONE_TO_MANY && !prop.mappedBy) {
             // 1:m property has `mappedBy`
-            if (prop.kind === ReferenceKind.ONE_TO_MANY && !prop.mappedBy) {
-                throw MetadataError.fromMissingOption(meta, prop, 'mappedBy');
-            }
+            throw MetadataError.fromMissingOption(meta, prop, 'mappedBy');
         }
     }
-    validateOwningSide(meta, prop, inverse, metadata) {
+    validateOwningSide(meta, prop) {
+        // For polymorphic relations, inversedBy may point to multiple entity types
+        if (prop.polymorphic && prop.polymorphTargets?.length) {
+            // For polymorphic relations, validate inversedBy against each target
+            // The inverse property should exist on the target entities and reference back to this property
+            for (const targetMeta of prop.polymorphTargets) {
+                const inverse = targetMeta.properties[prop.inversedBy];
+                // The inverse property is optional - some targets may not have it
+                if (!inverse) {
+                    continue;
+                }
+                // Validate the inverse property
+                if (inverse.targetMeta?.root.class !== meta.root.class) {
+                    throw MetadataError.fromWrongReference(meta, prop, 'inversedBy', inverse);
+                }
+                // inverse side is not defined as owner
+                if (inverse.inversedBy || inverse.owner) {
+                    throw MetadataError.fromWrongOwnership(meta, prop, 'inversedBy');
+                }
+            }
+            return;
+        }
+        const inverse = prop.targetMeta.properties[prop.inversedBy];
         // has correct `inversedBy` on owning side
         if (!inverse) {
             throw MetadataError.fromWrongReference(meta, prop, 'inversedBy');
         }
-        const targetClassName = metadata.find(inverse.type)?.root.className;
+        const targetClass = inverse.targetMeta?.root.class;
         // has correct `inversedBy` reference type
-        if (inverse.type !== meta.className && targetClassName !== meta.root.className) {
+        if (inverse.type !== meta.className && targetClass !== meta.root.class) {
             throw MetadataError.fromWrongReference(meta, prop, 'inversedBy', inverse);
         }
         // inverse side is not defined as owner
@@ -143,13 +249,18 @@ export class MetadataValidator {
             throw MetadataError.fromWrongOwnership(meta, prop, 'inversedBy');
         }
     }
-    validateInverseSide(meta, prop, owner, metadata) {
+    validateInverseSide(meta, prop) {
+        const owner = prop.targetMeta.properties[prop.mappedBy];
         // has correct `mappedBy` on inverse side
         if (prop.mappedBy && !owner) {
             throw MetadataError.fromWrongReference(meta, prop, 'mappedBy');
         }
         // has correct `mappedBy` reference type
-        if (owner.type !== meta.className && metadata.find(owner.type)?.root.className !== meta.root.className) {
+        // For polymorphic relations, check if this entity is one of the polymorphic targets
+        const isValidPolymorphicInverse = owner.polymorphic && owner.polymorphTargets?.some(target => target.class === meta.root.class);
+        if (!isValidPolymorphicInverse &&
+            owner.type !== meta.className &&
+            owner.targetMeta?.root.class !== meta.root.class) {
             throw MetadataError.fromWrongReference(meta, prop, 'mappedBy', owner);
         }
         // owning side is not defined as inverse
@@ -181,7 +292,10 @@ export class MetadataValidator {
     }
     validateDuplicateFieldNames(meta, options) {
         const candidates = Object.values(meta.properties)
-            .filter(prop => prop.persist !== false && !prop.inherited && prop.fieldNames?.length === 1 && (prop.kind !== ReferenceKind.EMBEDDED || prop.object))
+            .filter(prop => prop.persist !== false &&
+            !prop.inherited &&
+            prop.fieldNames?.length === 1 &&
+            (prop.kind !== ReferenceKind.EMBEDDED || prop.object))
             .map(prop => prop.fieldNames[0]);
         const duplicates = Utils.findDuplicates(candidates);
         if (duplicates.length > 0 && options.checkDuplicateFieldNames) {
@@ -192,7 +306,7 @@ export class MetadataValidator {
                     return [prop.embedded ? prop.embedded.join('.') : prop.name, prop.fieldNames[0]];
                 });
             });
-            throw MetadataError.duplicateFieldName(meta.className, pairs);
+            throw MetadataError.duplicateFieldName(meta.class, pairs);
         }
     }
     validateVersionField(meta) {
@@ -209,4 +323,60 @@ export class MetadataValidator {
             throw MetadataError.invalidVersionFieldType(meta);
         }
     }
+    /**
+     * Validates that entity properties do not use dangerous names that could lead to
+     * prototype pollution vulnerabilities. This validation ensures that property names
+     * cannot be exploited to modify object prototypes when values are assigned during
+     * entity hydration or persistence operations.
+     *
+     * @internal
+     */
+    validatePropertyNames(meta) {
+        for (const prop of Utils.values(meta.properties)) {
+            if (DANGEROUS_PROPERTY_NAMES.includes(prop.name)) {
+                throw MetadataError.dangerousPropertyName(meta, prop);
+            }
+        }
+    }
+    /**
+     * Validates view entity configuration.
+     * View entities must have an expression.
+     */
+    validateViewEntity(meta) {
+        // View entities must have an expression
+        if (!meta.expression) {
+            throw MetadataError.viewEntityWithoutExpression(meta);
+        }
+        // Validate indexes if present
+        this.validateIndexes(meta, meta.indexes ?? [], 'index');
+        this.validateIndexes(meta, meta.uniques ?? [], 'unique');
+        // Validate property names
+        this.validatePropertyNames(meta);
+    }
+    /**
+     * Validates that STI and TPT are not mixed in the same inheritance hierarchy.
+     * An entity hierarchy can use either STI (discriminatorColumn) or TPT (inheritance: 'tpt'),
+     * but not both.
+     *
+     * Note: This validation runs before `initTablePerTypeInheritance` sets `inheritanceType`,
+     * so we check the raw `inheritance` option from the decorator/schema.
+     */
+    validateInheritanceStrategies(discovered) {
+        const checkedRoots = new Set();
+        for (const meta of discovered) {
+            if (meta.embeddable) {
+                continue;
+            }
+            const root = meta.root;
+            if (checkedRoots.has(root)) {
+                continue;
+            }
+            checkedRoots.add(root);
+            const hasSTI = !!root.discriminatorColumn;
+            const hasTPT = root.inheritanceType === 'tpt' || root.inheritance === 'tpt';
+            if (hasSTI && hasTPT) {
+                throw MetadataError.mixedInheritanceStrategies(root, meta);
+            }
+        }
+    }
 }

package/metadata/discover-entities.d.ts

@@ -0,0 +1,5 @@
+import { type Constructor } from '../typings.js';
+import { EntitySchema } from './EntitySchema.js';
+export declare function discoverEntities(paths: string | string[], options?: {
+    baseDir?: string;
+}): Promise<Iterable<EntitySchema | Constructor>>;

package/metadata/discover-entities.js

@@ -0,0 +1,40 @@
+import { basename } from 'node:path';
+import { fs } from '../utils/fs-utils.js';
+import { Utils } from '../utils/Utils.js';
+import { MetadataStorage } from './MetadataStorage.js';
+import { EntitySchema } from './EntitySchema.js';
+async function getEntityClassOrSchema(filepath, allTargets, baseDir) {
+    const path = fs.normalizePath(baseDir, filepath);
+    const exports = await fs.dynamicImport(path);
+    const targets = Object.values(exports);
+    // ignore class implementations that are linked from an EntitySchema
+    for (const item of targets) {
+        if (item instanceof EntitySchema) {
+            for (const item2 of targets) {
+                if (item.meta.class === item2) {
+                    targets.splice(targets.indexOf(item2), 1);
+                }
+            }
+        }
+    }
+    for (const item of targets) {
+        const validTarget = item instanceof EntitySchema || (item instanceof Function && MetadataStorage.isKnownEntity(item.name));
+        if (validTarget && !allTargets.has(item)) {
+            allTargets.set(item, path);
+        }
+    }
+}
+export async function discoverEntities(paths, options) {
+    paths = Utils.asArray(paths).map(path => fs.normalizePath(path));
+    const baseDir = fs.absolutePath(options?.baseDir ?? process.cwd());
+    const files = fs.glob(paths, fs.normalizePath(baseDir));
+    const found = new Map();
+    for (const filepath of files) {
+        const filename = basename(filepath);
+        if (!/\.[cm]?[jt]s$/.exec(filename) || /\.d\.[cm]?ts/.exec(filename)) {
+            continue;
+        }
+        await getEntityClassOrSchema(filepath, found, baseDir);
+    }
+    return found.keys();
+}

package/metadata/index.d.ts

@@ -1,6 +1,6 @@
+export type * from './types.js';
 export * from './EntitySchema.js';
 export * from './MetadataDiscovery.js';
 export * from './MetadataStorage.js';
 export * from './MetadataProvider.js';
 export * from './MetadataValidator.js';
-export * from './ReflectMetadataProvider.js';

package/metadata/index.js

@@ -3,4 +3,3 @@ export * from './MetadataDiscovery.js';
 export * from './MetadataStorage.js';
 export * from './MetadataProvider.js';
 export * from './MetadataValidator.js';
-export * from './ReflectMetadataProvider.js';