npm - @nocobase/plugin-collection-sql - Versions diffs - 1.6.0-alpha.2 → 1.6.0-alpha.20 - Mend

@nocobase/plugin-collection-sql 1.6.0-alpha.2 → 1.6.0-alpha.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/externalVersion.js +5 -5
package/dist/server/plugin.js +15 -0
package/dist/server/resources/sql.js +16 -7
package/dist/server/utils.d.ts +9 -0
package/dist/server/utils.js +67 -0
package/package.json +2 -2

package/dist/externalVersion.js CHANGED Viewed

@@ -8,10 +8,10 @@
  */
 module.exports = {
-  "@nocobase/client": "1.6.0-alpha.2",
-  "@nocobase/server": "1.6.0-alpha.2",
-  "@nocobase/database": "1.6.0-alpha.2",
-  "@nocobase/actions": "1.6.0-alpha.2",
+  "@nocobase/client": "1.6.0-alpha.20",
+  "@nocobase/server": "1.6.0-alpha.20",
+  "@nocobase/database": "1.6.0-alpha.20",
+  "@nocobase/actions": "1.6.0-alpha.20",
   "sequelize": "6.35.2",
-  "@nocobase/utils": "1.6.0-alpha.2"
+  "@nocobase/utils": "1.6.0-alpha.20"
 };

package/dist/server/plugin.js CHANGED Viewed

@@ -43,6 +43,7 @@ module.exports = __toCommonJS(plugin_exports);
 var import_server = require("@nocobase/server");
 var import_sql_collection = require("./sql-collection");
 var import_sql = __toESM(require("./resources/sql"));
+var import_utils = require("./utils");
 class PluginCollectionSQLServer extends import_server.Plugin {
   async beforeLoad() {
     this.app.db.collectionFactory.registerCollectionType(import_sql_collection.SQLCollection, {
@@ -61,6 +62,20 @@ class PluginCollectionSQLServer extends import_server.Plugin {
       name: `pm.data-source-manager.collection-sql `,
       actions: ["sqlCollection:*"]
     });
+    this.app.resourceManager.use(async (ctx, next) => {
+      const { resourceName, actionName } = ctx.action;
+      if (resourceName === "collections" && actionName === "create") {
+        const { sql } = ctx.action.params.values || {};
+        if (sql) {
+          try {
+            (0, import_utils.checkSQL)(sql);
+          } catch (e) {
+            ctx.throw(400, ctx.t(e.message));
+          }
+        }
+      }
+      return next();
+    });
   }
 }
 var plugin_default = PluginCollectionSQLServer;

package/dist/server/resources/sql.js CHANGED Viewed

@@ -30,7 +30,9 @@ __export(sql_exports, {
 });
 module.exports = __toCommonJS(sql_exports);
 var import_sql_collection = require("../sql-collection");
+var import_utils = require("../utils");
 const updateCollection = async (ctx, transaction) => {
+  var _a;
   const { filterByTk, values } = ctx.action.params;
   const repo = ctx.db.getRepository("collections");
   const collection = await repo.findOne({
@@ -41,15 +43,21 @@ const updateCollection = async (ctx, transaction) => {
   });
   const existFields = await collection.getFields({ transaction });
   const deletedFields = existFields.filter((field) => {
-    var _a;
-    return !((_a = values.fields) == null ? void 0 : _a.find((f) => f.name === field.name));
+    var _a2;
+    return !((_a2 = values.fields) == null ? void 0 : _a2.find((f) => f.name === field.name));
   });
   for (const field of deletedFields) {
     await field.destroy({ transaction });
   }
   const upRes = await repo.update({
     filterByTk,
-    values,
+    values: {
+      ...values,
+      fields: (_a = values.fields) == null ? void 0 : _a.map((f) => {
+        delete f.key;
+        return f;
+      })
+    },
     updateAssociationValues: ["fields"],
     transaction
   });
@@ -59,13 +67,14 @@ var sql_default = {
   name: "sqlCollection",
   actions: {
     execute: async (ctx, next) => {
-      let { sql } = ctx.action.params.values || {};
+      const { sql } = ctx.action.params.values || {};
       if (!sql) {
         ctx.throw(400, ctx.t("Please enter a SQL statement"));
       }
-      sql = sql.trim().split(";").shift();
-      if (!/^select/i.test(sql) && !/^with([\s\S]+)select([\s\S]+)/i.test(sql)) {
-        ctx.throw(400, ctx.t("Only supports SELECT statements or WITH clauses"));
+      try {
+        (0, import_utils.checkSQL)(sql);
+      } catch (e) {
+        ctx.throw(400, ctx.t(e.message));
       }
       const tmpCollection = new import_sql_collection.SQLCollection({ name: "tmp", sql }, { database: ctx.db });
       const model = tmpCollection.model;

package/dist/server/utils.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export declare const checkSQL: (sql: string) => void;

package/dist/server/utils.js ADDED Viewed

@@ -0,0 +1,67 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utils_exports = {};
+__export(utils_exports, {
+  checkSQL: () => checkSQL
+});
+module.exports = __toCommonJS(utils_exports);
+const checkSQL = (sql) => {
+  const dangerKeywords = [
+    // PostgreSQL
+    "pg_read_file",
+    "pg_read_binary_file",
+    "pg_stat_file",
+    "pg_ls_dir",
+    "pg_logdir_ls",
+    "pg_terminate_backend",
+    "pg_cancel_backend",
+    "current_setting",
+    "set_config",
+    "pg_reload_conf",
+    "pg_sleep",
+    "generate_series",
+    // MySQL
+    "LOAD_FILE",
+    "BENCHMARK",
+    "@@global.",
+    "@@session.",
+    // SQLite
+    "sqlite3_load_extension",
+    "load_extension"
+  ];
+  sql = sql.trim().split(";").shift();
+  if (!/^select/i.test(sql) && !/^with([\s\S]+)select([\s\S]+)/i.test(sql)) {
+    throw new Error("Only supports SELECT statements or WITH clauses");
+  }
+  if (dangerKeywords.some((keyword) => sql.toLowerCase().includes(keyword.toLowerCase()))) {
+    throw new Error("SQL statements contain dangerous keywords");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkSQL
+});

package/package.json CHANGED Viewed

@@ -4,7 +4,7 @@
   "displayName.zh-CN": "数据表: SQL",
   "description": "Provides SQL collection template",
   "description.zh-CN": "提供 SQL 数据表模板",
-  "version": "1.6.0-alpha.2",
+  "version": "1.6.0-alpha.20",
   "homepage": "https://docs-cn.nocobase.com/handbook/collection-sql",
   "homepage.zh-CN": "https://docs-cn.nocobase.com/handbook/collection-sql",
   "main": "dist/server/index.js",
@@ -17,5 +17,5 @@
   "keywords": [
     "Collections"
   ],
-  "gitHead": "08bbc34c21727fc0ad0880f397a42bf7741091ee"
+  "gitHead": "c127664eb2b900edd5c18c9344046cd663a06c3b"
 }