@strapi/plugin-users-permissions 4.12.6 → 4.13.0-alpha.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.12.6",
+  "version": "4.13.0-alpha.0",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -30,9 +30,9 @@
   },
   "dependencies": {
     "@strapi/design-system": "1.9.0",
-    "@strapi/helper-plugin": "4.12.6",
+    "@strapi/helper-plugin": "4.13.0-alpha.0",
     "@strapi/icons": "1.9.0",
-    "@strapi/utils": "4.12.6",
+    "@strapi/utils": "4.13.0-alpha.0",
     "bcryptjs": "2.4.3",
     "formik": "2.4.0",
     "grant-koa": "5.4.8",
@@ -77,5 +77,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "9bb6ba1e0d07c65423e99075438262540a042d76"
+  "gitHead": "41844c2867621a1f47dd6ae6ac83283aa54b22f8"
 }

package/server/bootstrap/index.js

@@ -10,10 +10,12 @@
 const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
+const { isArray } = require('lodash/fp');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
 
 const usersPermissionsActions = require('./users-permissions-actions');
+const userSchema = require('../content-types/user');
 
 const initGrant = async (pluginStore) => {
   const apiPrefix = strapi.config.get('api.rest.prefix');
@@ -97,6 +99,26 @@ const initAdvancedOptions = async (pluginStore) => {
   }
 };
 
+const userSchemaAdditions = () => {
+  const defaultSchema = Object.keys(userSchema.attributes);
+  const currentSchema = Object.keys(
+    strapi.contentTypes['plugin::users-permissions.user'].attributes
+  );
+
+  // Some dynamic fields may not have been initialized yet, so we need to ignore them
+  // TODO: we should have a global method for finding these
+  const ignoreDiffs = [
+    'createdBy',
+    'createdAt',
+    'updatedBy',
+    'updatedAt',
+    'publishedAt',
+    'strapi_reviewWorkflows_stage',
+  ];
+
+  return currentSchema.filter((key) => !(ignoreDiffs.includes(key) || defaultSchema.includes(key)));
+};
+
 module.exports = async ({ strapi }) => {
   const pluginStore = strapi.store({ type: 'plugin', name: 'users-permissions' });
 
@@ -130,4 +152,17 @@ For security reasons, prefer storing the secret in an environment variable and r
       );
     }
   }
+
+  // TODO v5: Remove this block of code and default allowedFields to empty array
+  if (!isArray(strapi.config.get('plugin.users-permissions.register.allowedFields'))) {
+    const modifications = userSchemaAdditions();
+    if (modifications.length > 0) {
+      // if there is a potential vulnerability, show a warning
+      strapi.log.warn(
+        `Users-permissions registration has defaulted to accepting the following additional user fields during registration: ${modifications.join(
+          ','
+        )}`
+      );
+    }
+  }
 };

package/server/controllers/auth.js

@@ -9,7 +9,11 @@
 /* eslint-disable no-useless-escape */
 const crypto = require('crypto');
 const _ = require('lodash');
+const { concat, compact, isArray } = require('lodash/fp');
 const utils = require('@strapi/utils');
+const {
+  contentTypes: { getNonWritableAttributes },
+} = require('@strapi/utils');
 const { getService } = require('../utils');
 const {
   validateCallbackBody,
@@ -273,20 +277,49 @@ module.exports = {
       throw new ApplicationError('Register action is currently disabled');
     }
 
+    const { register } = strapi.config.get('plugin.users-permissions');
+    const alwaysAllowedKeys = ['username', 'password', 'email'];
+    const userModel = strapi.contentTypes['plugin::users-permissions.user'];
+    const { attributes } = userModel;
+
+    const nonWritable = getNonWritableAttributes(userModel);
+
+    const allowedKeys = compact(
+      concat(
+        alwaysAllowedKeys,
+        isArray(register?.allowedFields)
+          ? // Note that we do not filter allowedFields in case a user explicitly chooses to allow a private or otherwise omitted field on registration
+            register.allowedFields // if null or undefined, compact will remove it
+          : // to prevent breaking changes, if allowedFields is not set in config, we only remove private and known dangerous user schema fields
+            // TODO V5: allowedFields defaults to [] when undefined and remove this case
+            Object.keys(attributes).filter(
+              (key) =>
+                !nonWritable.includes(key) &&
+                !attributes[key].private &&
+                ![
+                  // many of these are included in nonWritable, but we'll list them again to be safe and since we're removing this code in v5 anyway
+                  // Strapi user schema fields
+                  'confirmed',
+                  'blocked',
+                  'confirmationToken',
+                  'resetPasswordToken',
+                  'provider',
+                  'id',
+                  'role',
+                  // other Strapi fields that might be added
+                  'createdAt',
+                  'updatedAt',
+                  'createdBy',
+                  'updatedBy',
+                  'publishedAt', // d&p
+                  'strapi_reviewWorkflows_stage', // review workflows
+                ].includes(key)
+            )
+      )
+    );
+
     const params = {
-      ..._.omit(ctx.request.body, [
-        'confirmed',
-        'blocked',
-        'confirmationToken',
-        'resetPasswordToken',
-        'provider',
-        'id',
-        'createdAt',
-        'updatedAt',
-        'createdBy',
-        'updatedBy',
-        'role',
-      ]),
+      ..._.pick(ctx.request.body, allowedKeys),
       provider: 'local',
     };
 

package/server/controllers/user.js

@@ -11,7 +11,7 @@ const utils = require('@strapi/utils');
 const { getService } = require('../utils');
 const { validateCreateUserBody, validateUpdateUserBody } = require('./validation/user');
 
-const { sanitize } = utils;
+const { sanitize, validate } = utils;
 const { ApplicationError, ValidationError, NotFoundError } = utils.errors;
 
 const sanitizeOutput = async (user, ctx) => {
@@ -21,6 +21,13 @@ const sanitizeOutput = async (user, ctx) => {
   return sanitize.contentAPI.output(user, schema, { auth });
 };
 
+const validateQuery = async (query, ctx) => {
+  const schema = strapi.getModel('plugin::users-permissions.user');
+  const { auth } = ctx.state;
+
+  return validate.contentAPI.query(query, schema, { auth });
+};
+
 const sanitizeQuery = async (query, ctx) => {
   const schema = strapi.getModel('plugin::users-permissions.user');
   const { auth } = ctx.state;
@@ -143,6 +150,7 @@ module.exports = {
    * @return {Object|Array}
    */
   async find(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
     const users = await getService('user').fetchAll(sanitizedQuery);
 
@@ -155,6 +163,7 @@ module.exports = {
    */
   async findOne(ctx) {
     const { id } = ctx.params;
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     let data = await getService('user').fetch(id, sanitizedQuery);
@@ -171,6 +180,7 @@ module.exports = {
    * @return {Number}
    */
   async count(ctx) {
+    await validateQuery(ctx.query, ctx);
     const sanitizedQuery = await sanitizeQuery(ctx.query, ctx);
 
     ctx.body = await getService('user').count(sanitizedQuery);
@@ -201,6 +211,7 @@ module.exports = {
       return ctx.unauthorized();
     }
 
+    await validateQuery(query, ctx);
     const sanitizedQuery = await sanitizeQuery(query, ctx);
     const user = await getService('user').fetch(authUser.id, sanitizedQuery);