npm - @opengis/fastify-table - Versions diffs - 1.2.3 → 1.2.5 - Mend

@opengis/fastify-table 1.2.3 → 1.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/server/plugins/crud/funcs/validateData.js +37 -0
package/server/routes/crud/controllers/insert.js +14 -3
package/server/routes/crud/controllers/update.js +13 -1
package/utils.js +2 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opengis/fastify-table",
-  "version": "1.2.3",
+  "version": "1.2.5",
   "type": "module",
   "description": "core-plugins",
   "keywords": [

package/server/plugins/crud/funcs/validateData.js ADDED Viewed

@@ -0,0 +1,37 @@
+const emailReg = /(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])/g;
+function checkField(key, val, options) {
+    // validators: [required]
+    if (options?.validators?.includes('required') && !val) {
+        return { error: 'empty required', key };
+    }
+    // validators: [email] / type: Email
+    if ((options.type?.toLowerCase() === 'email' || options?.validators?.includes('email')) && val && !val.match(emailReg)) {
+        return { error: 'invalid email', key, val };
+    }
+}
+export default function validateData({ body = {}, schema = {} }) {
+    const arr = Object.keys(schema).reduce((acc, key) => {
+        const curr = { ...schema[key], key };
+        if (curr.colModel?.length && curr.type?.toLowerCase() === 'datatable') {
+            return acc.concat(curr.colModel.map(col => {
+                const subkey = col.name || col.key;
+                const check = body[curr.key]?.reduce((acc, curr) => Object.assign(acc, checkField(subkey, curr[subkey], col)), {});
+                return { ...curr, ...col, check, key: `${curr.key}.${subkey}`, colModel: undefined };
+            }));
+        }
+        const check = checkField(curr.key, body[curr.key], schema[curr.key]);
+        return acc.concat({ ...curr, check });
+    }, []);
+    const invalidField = arr.find(el => el.check?.error);
+    if (invalidField) {
+        return { key: invalidField.key, ...invalidField.check };
+    }
+    return { message: 'ok' };
+}

package/server/routes/crud/controllers/insert.js CHANGED Viewed

@@ -1,6 +1,5 @@
 import {
-  applyHook, getAccess, getTemplate, checkXSS, dataInsert, getToken, config,
-  pgClients,
+  applyHook, getAccess, getTemplate, checkXSS, dataInsert, getToken, config, pgClients, logger, validateData,
 } from '../../../../utils.js';
 export default async function insert(req) {
@@ -44,10 +43,22 @@ export default async function insert(req) {
   const xssCheck = checkXSS({ body, schema });
   if (xssCheck.error && formData?.xssCheck !== false) {
-    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    logger.file('injection/xss', { table, form: form || loadTemplate?.form, body, uid: user?.uid, msg: xssCheck.error });
     return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
   }
+  const fieldCheck = validateData({ body, schema });
+  if (fieldCheck.error) {
+    logger.file('injection/sql', {
+      table,
+      form: form || loadTemplate?.form,
+      uid: user?.uid,
+      ...fieldCheck,
+    });
+    return { message: 'Дані не пройшли валідацію. Приберіть некоректні дані та спробуйте ще раз', status: 409 };
+  }
   if (![add, table].includes('admin.users')) {
     Object.assign(body, { uid: user?.uid, editor_id: user?.uid });
   }

package/server/routes/crud/controllers/update.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import {
-  pgClients, applyHook, getAccess, getTemplate, checkXSS, dataInsert, dataUpdate, logger, getToken,
+  pgClients, applyHook, getAccess, getTemplate, checkXSS, dataInsert, dataUpdate, logger, getToken, validateData,
 } from '../../../../utils.js';
 import config from '../../../../config.js';
 import insert from './insert.js';
@@ -62,6 +62,18 @@ export default async function update(req) {
     return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
   }
+  const fieldCheck = validateData({ body, schema });
+  if (fieldCheck.error) {
+    logger.file('injection/sql', {
+      table,
+      form: form || loadTemplate?.form,
+      uid: user?.uid,
+      ...fieldCheck,
+    });
+    return { message: 'Дані не пройшли валідацію. Приберіть некоректні дані та спробуйте ще раз', status: 409 };
+  }
   const res = await dataUpdate({
     table: loadTemplate?.table || table,
     id,

package/utils.js CHANGED Viewed

@@ -40,6 +40,7 @@ import getToken from './server/plugins/crud/funcs/getToken.js';
 import setToken from './server/plugins/crud/funcs/setToken.js';
 import getOpt from './server/plugins/crud/funcs/getOpt.js';
 import setOpt from './server/plugins/crud/funcs/setOpt.js';
+import validateData from './server/plugins/crud/funcs/validateData.js';
 // policy
 import checkXSS from './server/plugins/policy/funcs/checkXSS.js';
@@ -98,6 +99,7 @@ export {
   getOpt,
   setOpt,
   setToken,
+  validateData,
   // crud
   dataInsert,