npm - @nocobase/plugin-collection-sql - Versions diffs - 1.6.0-alpha.2 → 1.6.0-alpha.21 - Mend

@nocobase/plugin-collection-sql 1.6.0-alpha.2 → 1.6.0-alpha.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/LICENSE.txt +8 -6
package/dist/externalVersion.js +5 -5
package/dist/server/plugin.js +15 -0
package/dist/server/resources/sql.js +16 -7
package/dist/server/sql-collection/query-generator.js +2 -2
package/dist/server/utils.d.ts +9 -0
package/dist/server/utils.js +67 -0
package/package.json +2 -2

package/LICENSE.txt CHANGED Viewed

@@ -1,4 +1,4 @@
-Updated Date: October 15, 2024
+Updated Date: February 6, 2025
 NocoBase License Agreement
@@ -78,7 +78,7 @@ Except for Third-Party Open Source Software, the Company owns all copyrights, tr
 6.1 Obtain a permanent commercial license of the Software.
-6.2 Get 12 months of upgrade and exclusive technical support.
+6.2 Get software upgrades and exclusive technical support during the upgrade validity period.
 6.3 The licensed Software can be used for commercial purposes with no restrictions on the number of applications and users.
@@ -108,11 +108,13 @@ Except for Third-Party Open Source Software, the Company owns all copyrights, tr
 7.5 It is not allowed for the User with a Standard Edition license to sell Upper Layer Application to clients without a Commercial license.
-7.6 It is not allowed to publicly sell plugins developed for Software outside of the Marketplace.
+7.6 It is not allowed for the User with a Professional or Enterprise Edition license to sell Upper Layer Application to clients without a Commercial license with access to further development and configuration.
-7.7 If there is a violation of the above obligations or the terms of this Agreement, the rights owned by the User will be immediately terminated, the paid fees will not be refunded, and the Company reserves the right to pursue the User's legal responsibility.
+7.7 It is not allowed to publicly sell plugins developed for Software outside of the Marketplace.
-7.8 If there are other agreements in the contract for the above obligations, the contract agreement shall prevail.
+7.8 If there is a violation of the above obligations or the terms of this Agreement, the rights owned by the User will be immediately terminated, the paid fees will not be refunded, and the Company reserves the right to pursue the User's legal responsibility.
+7.9 If there are other agreements in the contract for the above obligations, the contract agreement shall prevail.
 ======================================
 8. Rights of Commercial Plugin License
@@ -120,7 +122,7 @@ Except for Third-Party Open Source Software, the Company owns all copyrights, tr
 8.1 Obtain a permanent Commercial Plugin License for the Commercial Plugin.
-8.2 Receive 12 months of upgrades and exclusive technical support.
+8.2 Get plugins upgrades and exclusive technical support during the upgrade validity period.
 8.3 Can be used for commercial purposes without restrictions on the number of applications or users.

package/dist/externalVersion.js CHANGED Viewed

@@ -8,10 +8,10 @@
  */
 module.exports = {
-  "@nocobase/client": "1.6.0-alpha.2",
-  "@nocobase/server": "1.6.0-alpha.2",
-  "@nocobase/database": "1.6.0-alpha.2",
-  "@nocobase/actions": "1.6.0-alpha.2",
+  "@nocobase/client": "1.6.0-alpha.21",
+  "@nocobase/server": "1.6.0-alpha.21",
+  "@nocobase/database": "1.6.0-alpha.21",
+  "@nocobase/actions": "1.6.0-alpha.21",
   "sequelize": "6.35.2",
-  "@nocobase/utils": "1.6.0-alpha.2"
+  "@nocobase/utils": "1.6.0-alpha.21"
 };

package/dist/server/plugin.js CHANGED Viewed

@@ -43,6 +43,7 @@ module.exports = __toCommonJS(plugin_exports);
 var import_server = require("@nocobase/server");
 var import_sql_collection = require("./sql-collection");
 var import_sql = __toESM(require("./resources/sql"));
+var import_utils = require("./utils");
 class PluginCollectionSQLServer extends import_server.Plugin {
   async beforeLoad() {
     this.app.db.collectionFactory.registerCollectionType(import_sql_collection.SQLCollection, {
@@ -61,6 +62,20 @@ class PluginCollectionSQLServer extends import_server.Plugin {
       name: `pm.data-source-manager.collection-sql `,
       actions: ["sqlCollection:*"]
     });
+    this.app.resourceManager.use(async (ctx, next) => {
+      const { resourceName, actionName } = ctx.action;
+      if (resourceName === "collections" && actionName === "create") {
+        const { sql } = ctx.action.params.values || {};
+        if (sql) {
+          try {
+            (0, import_utils.checkSQL)(sql);
+          } catch (e) {
+            ctx.throw(400, ctx.t(e.message));
+          }
+        }
+      }
+      return next();
+    });
   }
 }
 var plugin_default = PluginCollectionSQLServer;

package/dist/server/resources/sql.js CHANGED Viewed

@@ -30,7 +30,9 @@ __export(sql_exports, {
 });
 module.exports = __toCommonJS(sql_exports);
 var import_sql_collection = require("../sql-collection");
+var import_utils = require("../utils");
 const updateCollection = async (ctx, transaction) => {
+  var _a;
   const { filterByTk, values } = ctx.action.params;
   const repo = ctx.db.getRepository("collections");
   const collection = await repo.findOne({
@@ -41,15 +43,21 @@ const updateCollection = async (ctx, transaction) => {
   });
   const existFields = await collection.getFields({ transaction });
   const deletedFields = existFields.filter((field) => {
-    var _a;
-    return !((_a = values.fields) == null ? void 0 : _a.find((f) => f.name === field.name));
+    var _a2;
+    return !((_a2 = values.fields) == null ? void 0 : _a2.find((f) => f.name === field.name));
   });
   for (const field of deletedFields) {
     await field.destroy({ transaction });
   }
   const upRes = await repo.update({
     filterByTk,
-    values,
+    values: {
+      ...values,
+      fields: (_a = values.fields) == null ? void 0 : _a.map((f) => {
+        delete f.key;
+        return f;
+      })
+    },
     updateAssociationValues: ["fields"],
     transaction
   });
@@ -59,13 +67,14 @@ var sql_default = {
   name: "sqlCollection",
   actions: {
     execute: async (ctx, next) => {
-      let { sql } = ctx.action.params.values || {};
+      const { sql } = ctx.action.params.values || {};
       if (!sql) {
         ctx.throw(400, ctx.t("Please enter a SQL statement"));
       }
-      sql = sql.trim().split(";").shift();
-      if (!/^select/i.test(sql) && !/^with([\s\S]+)select([\s\S]+)/i.test(sql)) {
-        ctx.throw(400, ctx.t("Only supports SELECT statements or WITH clauses"));
+      try {
+        (0, import_utils.checkSQL)(sql);
+      } catch (e) {
+        ctx.throw(400, ctx.t(e.message));
       }
       const tmpCollection = new import_sql_collection.SQLCollection({ name: "tmp", sql }, { database: ctx.db });
       const model = tmpCollection.model;

package/dist/server/sql-collection/query-generator.js CHANGED Viewed

@@ -45,13 +45,13 @@ function selectQuery(tableName, options, model) {
   attributes = this.escapeAttributes(attributes, { model });
   attributes = attributes || ["*"];
   if (Object.prototype.hasOwnProperty.call(options, "where")) {
-    options.where = this.getWhereConditions(options.where, tableName, model, options);
+    options.where = this.getWhereConditions(options.where, model.name, model, options);
     if (options.where) {
       queryItems.push(` WHERE ${options.where}`);
     }
   }
   if (options.group) {
-    options.group = Array.isArray(options.group) ? options.group.map((t) => this.aliasGrouping(t, model, tableName, options)).join(", ") : this.aliasGrouping(options.group, model, tableName, options);
+    options.group = Array.isArray(options.group) ? options.group.map((t) => this.aliasGrouping(t, model, model.name, options)).join(", ") : this.aliasGrouping(options.group, model, model.name, options);
     if (options.group) {
       queryItems.push(` GROUP BY ${options.group}`);
     }

package/dist/server/utils.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export declare const checkSQL: (sql: string) => void;

package/dist/server/utils.js ADDED Viewed

@@ -0,0 +1,67 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utils_exports = {};
+__export(utils_exports, {
+  checkSQL: () => checkSQL
+});
+module.exports = __toCommonJS(utils_exports);
+const checkSQL = (sql) => {
+  const dangerKeywords = [
+    // PostgreSQL
+    "pg_read_file",
+    "pg_read_binary_file",
+    "pg_stat_file",
+    "pg_ls_dir",
+    "pg_logdir_ls",
+    "pg_terminate_backend",
+    "pg_cancel_backend",
+    "current_setting",
+    "set_config",
+    "pg_reload_conf",
+    "pg_sleep",
+    "generate_series",
+    // MySQL
+    "LOAD_FILE",
+    "BENCHMARK",
+    "@@global.",
+    "@@session.",
+    // SQLite
+    "sqlite3_load_extension",
+    "load_extension"
+  ];
+  sql = sql.trim().split(";").shift();
+  if (!/^select/i.test(sql) && !/^with([\s\S]+)select([\s\S]+)/i.test(sql)) {
+    throw new Error("Only supports SELECT statements or WITH clauses");
+  }
+  if (dangerKeywords.some((keyword) => sql.toLowerCase().includes(keyword.toLowerCase()))) {
+    throw new Error("SQL statements contain dangerous keywords");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkSQL
+});

package/package.json CHANGED Viewed

@@ -4,7 +4,7 @@
   "displayName.zh-CN": "数据表: SQL",
   "description": "Provides SQL collection template",
   "description.zh-CN": "提供 SQL 数据表模板",
-  "version": "1.6.0-alpha.2",
+  "version": "1.6.0-alpha.21",
   "homepage": "https://docs-cn.nocobase.com/handbook/collection-sql",
   "homepage.zh-CN": "https://docs-cn.nocobase.com/handbook/collection-sql",
   "main": "dist/server/index.js",
@@ -17,5 +17,5 @@
   "keywords": [
     "Collections"
   ],
-  "gitHead": "08bbc34c21727fc0ad0880f397a42bf7741091ee"
+  "gitHead": "873cbaec9554e684781b8dc6cfd4386bb5cfa5b0"
 }