@nocobase/plugin-workflow-sql 2.1.0-beta.2 → 2.1.0-beta.21

package/dist/server/SQLInstruction.js

@@ -7,9 +7,11 @@
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
 
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -23,6 +25,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var SQLInstruction_exports = {};
 __export(SQLInstruction_exports, {
@@ -31,21 +41,49 @@ __export(SQLInstruction_exports, {
 module.exports = __toCommonJS(SQLInstruction_exports);
 var import_data_source_manager = require("@nocobase/data-source-manager");
 var import_plugin_workflow = require("@nocobase/plugin-workflow");
+var import_joi = __toESM(require("joi"));
 class SQLInstruction_default extends import_plugin_workflow.Instruction {
+  configSchema = import_joi.default.object({
+    dataSource: import_joi.default.string(),
+    sql: import_joi.default.string(),
+    withMeta: import_joi.default.boolean().default(false),
+    unsafeInjection: import_joi.default.boolean().default(false),
+    variables: import_joi.default.array().items(
+      import_joi.default.object({
+        name: import_joi.default.string().required(),
+        value: import_joi.default.any()
+      })
+    )
+  });
   async run(node, input, processor) {
     const dataSourceName = node.config.dataSource || "main";
     const { collectionManager } = this.workflow.app.dataSourceManager.dataSources.get(dataSourceName);
     if (!(collectionManager instanceof import_data_source_manager.SequelizeCollectionManager)) {
       throw new Error(`type of data source "${node.config.dataSource}" is not database`);
     }
-    const sql = processor.getParsedValue(node.config.sql || "", node.id).trim();
+    const { unsafeInjection = false, variables = [] } = node.config;
+    let sql = "";
+    let replacements = null;
+    if (unsafeInjection) {
+      sql = processor.getParsedValue(node.config.sql || "", node.id).trim();
+    } else {
+      sql = (node.config.sql || "").trim();
+      const parameters = processor.getParsedValue(variables, node.id);
+      replacements = {};
+      for (const { name, value } of parameters) {
+        if (name) {
+          replacements[name] = value;
+        }
+      }
+    }
     if (!sql) {
       return {
         status: import_plugin_workflow.JOB_STATUS.RESOLVED
       };
     }
     const [result = null, meta = null] = await collectionManager.db.sequelize.query(sql, {
-      transaction: this.workflow.useDataSourceTransaction(dataSourceName, processor.transaction)
+      transaction: this.workflow.useDataSourceTransaction(dataSourceName, processor.transaction),
+      replacements
       // plain: true,
       // model: db.getCollection(node.config.collection).model
     }) ?? [];
@@ -54,8 +92,14 @@ class SQLInstruction_default extends import_plugin_workflow.Instruction {
       status: import_plugin_workflow.JOB_STATUS.RESOLVED
     };
   }
-  async test({ dataSource, sql, withMeta } = {}) {
-    if (!sql) {
+  async test({
+    dataSource,
+    sql: sqlConfig,
+    withMeta,
+    unsafeInjection = false,
+    variables = []
+  } = {}) {
+    if (!sqlConfig) {
       return {
         result: null,
         status: import_plugin_workflow.JOB_STATUS.RESOLVED
@@ -67,7 +111,20 @@ class SQLInstruction_default extends import_plugin_workflow.Instruction {
       throw new Error(`type of data source "${dataSource}" is not database`);
     }
     try {
-      const [result = null, meta = null] = await collectionManager.db.sequelize.query(sql) ?? [];
+      let sql = "";
+      let replacements = null;
+      if (unsafeInjection) {
+        sql = sqlConfig.trim();
+      } else {
+        sql = sqlConfig.trim();
+        replacements = {};
+        for (const { name, value } of variables) {
+          if (name) {
+            replacements[name] = value;
+          }
+        }
+      }
+      const [result = null, meta = null] = await collectionManager.db.sequelize.query(sql, { replacements }) ?? [];
       return {
         result: withMeta ? [result, meta] : result,
         status: import_plugin_workflow.JOB_STATUS.RESOLVED

package/dist/server/migrations/20260327120000-add-unsafe-injection-flag.d.ts

@@ -0,0 +1,13 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Migration } from '@nocobase/server';
+export default class extends Migration {
+    appVersion: string;
+    up(): Promise<void>;
+}

package/dist/server/migrations/20260327120000-add-unsafe-injection-flag.js

@@ -0,0 +1,65 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var add_unsafe_injection_flag_exports = {};
+__export(add_unsafe_injection_flag_exports, {
+  default: () => add_unsafe_injection_flag_default
+});
+module.exports = __toCommonJS(add_unsafe_injection_flag_exports);
+var import_server = require("@nocobase/server");
+var import_utils = require("@nocobase/utils");
+class add_unsafe_injection_flag_default extends import_server.Migration {
+  appVersion = "<2.0.30";
+  async up() {
+    const { db } = this.context;
+    const NodeRepo = db.getRepository("flow_nodes");
+    await db.sequelize.transaction(async (transaction) => {
+      const nodes = await NodeRepo.find({
+        filter: {
+          type: "sql"
+        },
+        transaction
+      });
+      await nodes.reduce(
+        (promise, node) => promise.then(() => {
+          var _a, _b;
+          const sql = ((_a = node.config) == null ? void 0 : _a.sql) || "";
+          const template = (0, import_utils.parse)(sql);
+          if (!((_b = template.parameters) == null ? void 0 : _b.length)) {
+            return;
+          }
+          node.set("config", { ...node.config, unsafeInjection: true });
+          node.changed("config", true);
+          return node.save({
+            silent: true,
+            transaction
+          });
+        }),
+        Promise.resolve()
+      );
+    });
+  }
+}

package/package.json

@@ -6,14 +6,15 @@
   "description": "Execute SQL statements in workflow.",
   "description.ru-RU": "Выполняет SQL-запросы в рамках рабочего процесса.",
   "description.zh-CN": "可用于在工作流中对数据库执行任意 SQL 语句。",
-  "version": "2.1.0-beta.2",
-  "license": "AGPL-3.0",
+  "version": "2.1.0-beta.21",
+  "license": "Apache-2.0",
   "main": "./dist/server/index.js",
   "homepage": "https://docs.nocobase.com/handbook/workflow-sql",
   "homepage.ru-RU": "https://docs-ru.nocobase.com/handbook/workflow-sql",
   "homepage.zh-CN": "https://docs-cn.nocobase.com/handbook/workflow-sql",
   "devDependencies": {
     "antd": "5.x",
+    "joi": "^17.13.3",
     "react": "18.x",
     "react-i18next": "^11.15.1"
   },
@@ -24,7 +25,7 @@
     "@nocobase/server": "2.x",
     "@nocobase/test": "2.x"
   },
-  "gitHead": "d80433799fb4a8d59ded4d7eea114d585a137ea0",
+  "gitHead": "324bd82f33fca58e98711688a17ceb65c186b65e",
   "keywords": [
     "Workflow"
   ]