@opengis/fastify-table 1.1.45 → 1.1.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/Changelog.md +1 -1
  2. package/crud/controllers/utils/checkXSS.js +3 -2
  3. package/crud/funcs/getAccess.js +3 -4
  4. package/package.json +1 -1
  5. package/test/api/crud.xss.test.js +38 -22
package/Changelog.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # fastify-table
2
2
 
3
- ## 1.1.45 - 22.10.2024
3
+ ## 1.1.46 - 22.10.2024
4
4
 
5
5
  - addHook params refactor
6
6
  - add handlebars to utils
package/crud/controllers/utils/checkXSS.js CHANGED
@@ -16,15 +16,16 @@ function checkXSS({ body, schema = {} }) {
16
16
  // escape arrows on non-RTE
17
17
  Object.keys(body)
18
18
  .filter((key) => ['<', '>'].find((el) => body[key]?.includes?.(el))
19
- && !['Summernote', 'Tiny', 'Ace'].includes(schema[key]?.type))
19
+ && !['Summernote', 'Tiny', 'Ace'].includes(schema?.[key]?.type))
20
20
  ?.forEach((key) => {
21
21
  Object.assign(body, { [key]: body[key].replace(/</g, '&lt;').replace(/>/g, '&gt;') });
22
22
  });
23
+
23
24
  // try { } catch (err) { return { error: err.toString() }; }
24
25
 
25
26
  if (!stopWords.length) return { body };
26
27
 
27
- const disabledCheckFields = Object.keys(schema)?.filter((el) => schema[el]?.xssCheck === false); // exclude specific columns
28
+ const disabledCheckFields = Object.keys(schema || {})?.filter((el) => schema?.[el]?.xssCheck === false); // exclude specific columns
28
29
 
29
30
  // check RTE
30
31
  /* const richTextFields = Object.keys(schema).filter((el) => ['Summernote', 'Tiny', 'Ace'].includes(schema[el]?.type));
package/crud/funcs/getAccess.js CHANGED
@@ -23,17 +23,16 @@ export default async function getAccess({ table, id, user }) {
23
23
  const { client: pg } = pgClients || {};
24
24
  const { uid, user_type: userType } = user || {};
25
25
 
26
- if (!uid || !table) return null;
27
-
28
- if (!pg.pk?.['admin.access']) return null;
26
+ if (!table || !pg.pk?.['admin.access']) return null;
29
27
 
30
28
  const body = await getTemplate('table', table) || {};
31
- if (!body?.table) return null;
32
29
 
33
30
  if (config.auth?.disable || user?.user_type?.includes('admin') || body?.public) {
34
31
  return { actions: ['get', 'edit', 'del'], my: true, query: '1=1' };
35
32
  }
36
33
 
34
+ if (!uid || !body?.table) return null;
35
+
37
36
  const { scope = 'my', actions = [] } = await pg.query(q, [table, uid]).then((res) => res.rows?.[0] || {});
38
37
 
39
38
  const { columns = [] } = await getMeta({ table: body?.table });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@opengis/fastify-table",
3
- "version": "1.1.45",
3
+ "version": "1.1.46",
4
4
  "type": "module",
5
5
  "description": "core-plugins",
6
6
  "main": "index.js",
package/test/api/crud.xss.test.js CHANGED
@@ -4,7 +4,22 @@ import assert from 'node:assert';
4
4
  import build from '../../helper.js';
5
5
 
6
6
  import setToken from '../../crud/funcs/setToken.js';
7
+ import getToken from '../../crud/funcs/getToken.js';
8
+ import addHook from '../../hook/funcs/addHook.js';
7
9
  import config from '../config.js';
10
+ import pgClients from '../../pg/pgClients.js';
11
+
12
+ addHook('preInsert', async ({ table }) => getToken({
13
+ mode: 'a', token: table, uid: '1', json: 1,
14
+ }));
15
+
16
+ addHook('preUpdate', async ({ table }) => getToken({
17
+ mode: 'w', token: table, uid: '1', json: 1,
18
+ }));
19
+
20
+ addHook('preDelete', async ({ table }) => getToken({
21
+ mode: 'w', token: table, uid: '1', json: 1,
22
+ }));
8
23
 
9
24
  test('api crud xss', async (t) => {
10
25
  const app = await build(t);
@@ -13,52 +28,53 @@ test('api crud xss', async (t) => {
13
28
  req.session = session;
14
29
  req.user = session.passport.user;
15
30
  });
16
- // app.decorateRequest('session', session);
17
31
 
32
+ const id = 'test';
18
33
  const prefix = config.prefix || '/api';
19
34
 
20
- let addTokens;
21
- let editTokens;
22
-
23
- // before
24
- t.test('setToken', async () => {
25
- addTokens = setToken({
26
- ids: [JSON.stringify({ table: 'gis.dataset', form: 'test.dataset.form' })],
35
+ await t.test('POST /insert', async () => {
36
+ const addTokens = setToken({
37
+ ids: [JSON.stringify({ table: 'test.rest_zone.table', form: 'rest_zone.form' })],
27
38
  mode: 'a',
28
39
  uid: 1,
29
40
  array: 1,
30
41
  });
31
- editTokens = setToken({
32
- ids: [JSON.stringify({ id: '5400000', table: 'gis.dataset', form: 'test.dataset.form' })],
33
- mode: 'w',
34
- uid: 1,
35
- array: 1,
36
- });
37
- assert.ok(addTokens.length === 1 && editTokens.length === 1, 'invalid token');
38
- });
39
-
40
- await t.test('POST /insert', async () => {
42
+ assert.ok(addTokens.length, 'invalid token');
41
43
  const res = await app.inject({
42
44
  method: 'POST',
43
45
  url: `${prefix}/table/${addTokens[0]}`,
44
- body: { dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>', dataset_id: '5400000' },
46
+ body: { rz_id: 'test', composition: '<a onClick="alert("XSS Injection")">xss injection</a>' },
45
47
  });
46
48
  assert.equal(res?.json()?.status || res?.statusCode, 409);
47
49
  });
48
50
 
51
+ const editTokens = setToken({
52
+ ids: [JSON.stringify({ id, table: 'test.rest_zone.table', form: 'rest_zone.form' })],
53
+ mode: 'w',
54
+ uid: 1,
55
+ array: 1,
56
+ });
57
+
49
58
  await t.test('PUT /update', async () => {
50
59
  const res = await app.inject({
51
60
  method: 'PUT',
52
- url: `${prefix}/table/${editTokens[0]}/${editTokens[0]}`,
53
- body: { editor_id: '11', dataset_name: '<a onClick="alert("XSS Injection")">xss injection</a>' },
61
+ url: `${prefix}/table/${editTokens[0]}`,
62
+ body: { editor_id: '11', composition: '<a onClick="alert("XSS Injection")">xss injection</a>' },
54
63
  });
55
64
  assert.equal(res.json()?.status || res?.statusCode, 409);
56
65
  });
57
66
  await t.test('DELETE /delete', async () => {
58
67
  const res = await app.inject({
59
68
  method: 'DELETE',
60
- url: `${prefix}/table/gis.dataset/5400000`,
69
+ url: `${prefix}/table/${editTokens[0]}`,
61
70
  });
62
71
  assert.equal(res?.json()?.status || res?.statusCode, 200);
63
72
  });
73
+
74
+ // after
75
+ await t.test('clean up', async () => {
76
+ const { rowCount } = await pgClients.client.query('delete from itree.rest_zones where composition::text ilike \'%xss injection%\'');
77
+ const { rowCount: testRows } = await pgClients.client.query('delete from itree.rest_zones where rz_id=\'test\'');
78
+ console.log('clean up', rowCount, testRows);
79
+ });
64
80
  });