@nocobase/plugin-collection-sql 1.6.0-alpha.6 → 1.6.0-alpha.7

package/dist/externalVersion.js

@@ -8,10 +8,10 @@
  */
 
 module.exports = {
-  "@nocobase/client": "1.6.0-alpha.6",
-  "@nocobase/server": "1.6.0-alpha.6",
-  "@nocobase/database": "1.6.0-alpha.6",
-  "@nocobase/actions": "1.6.0-alpha.6",
+  "@nocobase/client": "1.6.0-alpha.7",
+  "@nocobase/server": "1.6.0-alpha.7",
+  "@nocobase/database": "1.6.0-alpha.7",
+  "@nocobase/actions": "1.6.0-alpha.7",
   "sequelize": "6.35.2",
-  "@nocobase/utils": "1.6.0-alpha.6"
+  "@nocobase/utils": "1.6.0-alpha.7"
 };

package/dist/server/plugin.js

@@ -43,6 +43,7 @@ module.exports = __toCommonJS(plugin_exports);
 var import_server = require("@nocobase/server");
 var import_sql_collection = require("./sql-collection");
 var import_sql = __toESM(require("./resources/sql"));
+var import_utils = require("./utils");
 class PluginCollectionSQLServer extends import_server.Plugin {
   async beforeLoad() {
     this.app.db.collectionFactory.registerCollectionType(import_sql_collection.SQLCollection, {
@@ -61,6 +62,20 @@ class PluginCollectionSQLServer extends import_server.Plugin {
       name: `pm.data-source-manager.collection-sql `,
       actions: ["sqlCollection:*"]
     });
+    this.app.resourceManager.use(async (ctx, next) => {
+      const { resourceName, actionName } = ctx.action;
+      if (resourceName === "collections" && actionName === "create") {
+        const { sql } = ctx.action.params.values || {};
+        if (sql) {
+          try {
+            (0, import_utils.checkSQL)(sql);
+          } catch (e) {
+            ctx.throw(400, ctx.t(e.message));
+          }
+        }
+      }
+      return next();
+    });
   }
 }
 var plugin_default = PluginCollectionSQLServer;

package/dist/server/resources/sql.js

@@ -30,6 +30,7 @@ __export(sql_exports, {
 });
 module.exports = __toCommonJS(sql_exports);
 var import_sql_collection = require("../sql-collection");
+var import_utils = require("../utils");
 const updateCollection = async (ctx, transaction) => {
   var _a;
   const { filterByTk, values } = ctx.action.params;
@@ -66,13 +67,14 @@ var sql_default = {
   name: "sqlCollection",
   actions: {
     execute: async (ctx, next) => {
-      let { sql } = ctx.action.params.values || {};
+      const { sql } = ctx.action.params.values || {};
       if (!sql) {
         ctx.throw(400, ctx.t("Please enter a SQL statement"));
       }
-      sql = sql.trim().split(";").shift();
-      if (!/^select/i.test(sql) && !/^with([\s\S]+)select([\s\S]+)/i.test(sql)) {
-        ctx.throw(400, ctx.t("Only supports SELECT statements or WITH clauses"));
+      try {
+        (0, import_utils.checkSQL)(sql);
+      } catch (e) {
+        ctx.throw(400, ctx.t(e.message));
       }
       const tmpCollection = new import_sql_collection.SQLCollection({ name: "tmp", sql }, { database: ctx.db });
       const model = tmpCollection.model;

package/dist/server/utils.d.ts

@@ -0,0 +1,9 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+export declare const checkSQL: (sql: string) => void;

package/dist/server/utils.js

@@ -0,0 +1,67 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utils_exports = {};
+__export(utils_exports, {
+  checkSQL: () => checkSQL
+});
+module.exports = __toCommonJS(utils_exports);
+const checkSQL = (sql) => {
+  const dangerKeywords = [
+    // PostgreSQL
+    "pg_read_file",
+    "pg_read_binary_file",
+    "pg_stat_file",
+    "pg_ls_dir",
+    "pg_logdir_ls",
+    "pg_terminate_backend",
+    "pg_cancel_backend",
+    "current_setting",
+    "set_config",
+    "pg_reload_conf",
+    "pg_sleep",
+    "generate_series",
+    // MySQL
+    "LOAD_FILE",
+    "BENCHMARK",
+    "@@global.",
+    "@@session.",
+    // SQLite
+    "sqlite3_load_extension",
+    "load_extension"
+  ];
+  sql = sql.trim().split(";").shift();
+  if (!/^select/i.test(sql) && !/^with([\s\S]+)select([\s\S]+)/i.test(sql)) {
+    throw new Error("Only supports SELECT statements or WITH clauses");
+  }
+  if (dangerKeywords.some((keyword) => sql.toLowerCase().includes(keyword.toLowerCase()))) {
+    throw new Error("SQL statements contain dangerous keywords");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  checkSQL
+});

package/package.json

@@ -4,7 +4,7 @@
   "displayName.zh-CN": "数据表: SQL",
   "description": "Provides SQL collection template",
   "description.zh-CN": "提供 SQL 数据表模板",
-  "version": "1.6.0-alpha.6",
+  "version": "1.6.0-alpha.7",
   "homepage": "https://docs-cn.nocobase.com/handbook/collection-sql",
   "homepage.zh-CN": "https://docs-cn.nocobase.com/handbook/collection-sql",
   "main": "dist/server/index.js",
@@ -17,5 +17,5 @@
   "keywords": [
     "Collections"
   ],
-  "gitHead": "485580ad30e5164ead7e15f3b4d219f2bce2caf4"
+  "gitHead": "d9552440f5e3ce2795c9f2f23a1b04f5376a1550"
 }