@strapi/utils 4.11.0-beta.1 → 4.11.0-exp.9xg4-3qfm-9w8f.1

package/lib/content-types.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const _ = require('lodash');
-const { has } = require('lodash/fp');
+const { getOr, has, union } = require('lodash/fp');
 
 const SINGLE_TYPE = 'singleType';
 const COLLECTION_TYPE = 'collectionType';
@@ -92,16 +92,23 @@ const isSingleType = ({ kind = COLLECTION_TYPE }) => kind === SINGLE_TYPE;
 const isCollectionType = ({ kind = COLLECTION_TYPE }) => kind === COLLECTION_TYPE;
 const isKind = (kind) => (model) => model.kind === kind;
 
+const getStoredPrivateAttributes = (model) => union(
+  strapi?.config?.get('api.responses.privateAttributes', []) ?? [],
+  getOr([], 'options.privateAttributes', model)
+);
+
 const getPrivateAttributes = (model = {}) => {
   return _.union(
-    strapi.config.get('api.responses.privateAttributes', []),
-    _.get(model, 'options.privateAttributes', []),
+    getStoredPrivateAttributes(model),
     _.keys(_.pickBy(model.attributes, (attr) => !!attr.private))
   );
 };
 
 const isPrivateAttribute = (model, attributeName) => {
-  return model?.privateAttributes?.includes(attributeName) ?? false;
+  if (model?.attributes?.[attributeName]?.private === true) {
+    return true;
+  }
+  return getStoredPrivateAttributes(model).includes(attributeName);
 };
 
 const isScalarAttribute = (attribute) => {

package/lib/convert-query-params.js

@@ -18,6 +18,7 @@ const {
   cloneDeep,
   get,
   mergeAll,
+  isString,
 } = require('lodash/fp');
 const _ = require('lodash');
 const parseType = require('./parse-type');
@@ -28,6 +29,7 @@ const {
   isDynamicZoneAttribute,
   isMorphToRelationalAttribute,
 } = require('./content-types');
+const { isOperator } = require('./operators');
 
 const { PUBLISHED_AT_ATTRIBUTE } = contentTypesUtils.constants;
 
@@ -46,7 +48,7 @@ class InvalidSortError extends Error {
 }
 
 const validateOrder = (order) => {
-  if (!['asc', 'desc'].includes(order.toLocaleLowerCase())) {
+  if (!isString(order) || !['asc', 'desc'].includes(order.toLocaleLowerCase())) {
     throw new InvalidOrderError();
   }
 };
@@ -80,6 +82,13 @@ const convertSortQueryParams = (sortQuery) => {
 };
 
 const convertSingleSortQueryParam = (sortQuery) => {
+  if (!sortQuery) {
+    return {};
+  }
+  if (!isString(sortQuery)) {
+    throw new Error('Invalid sort query');
+  }
+
   // split field and order param with default order to ascending
   const [field, order = 'asc'] = sortQuery.split(':');
 
@@ -89,6 +98,8 @@ const convertSingleSortQueryParam = (sortQuery) => {
 
   validateOrder(order);
 
+  // TODO: field should be a valid path on an object model
+
   return _.set({}, field, order);
 };
 
@@ -368,6 +379,7 @@ const convertNestedPopulate = (subPopulate, schema) => {
   return query;
 };
 
+// TODO: ensure field is valid in content types (will probably have to check strapi.contentTypes since it can be a string.path)
 const convertFieldsQueryParams = (fields, depth = 0) => {
   if (depth === 0 && fields === '*') {
     return undefined;
@@ -387,6 +399,18 @@ const convertFieldsQueryParams = (fields, depth = 0) => {
   throw new Error('Invalid fields parameter. Expected a string or an array of strings');
 };
 
+const isValidSchemaAttribute = (key, schema) => {
+  if (key === 'id') {
+    return true;
+  }
+
+  if (!schema) {
+    return false;
+  }
+
+  return Object.keys(schema.attributes).includes(key);
+};
+
 const convertFiltersQueryParams = (filters, schema) => {
   // Filters need to be either an array or an object
   // Here we're only checking for 'object' type since typeof [] => object and typeof {} => object
@@ -401,10 +425,6 @@ const convertFiltersQueryParams = (filters, schema) => {
 };
 
 const convertAndSanitizeFilters = (filters, schema) => {
-  if (!isPlainObject(filters)) {
-    return filters;
-  }
-
   if (Array.isArray(filters)) {
     return (
       filters
@@ -415,14 +435,23 @@ const convertAndSanitizeFilters = (filters, schema) => {
     );
   }
 
+  // This must come after check for Array or else arrays are not filtered
+  if (!isPlainObject(filters)) {
+    return filters;
+  }
+
   const removeOperator = (operator) => delete filters[operator];
 
   // Here, `key` can either be an operator or an attribute name
   for (const [key, value] of Object.entries(filters)) {
     const attribute = get(key, schema?.attributes);
+    const validKey = isOperator(key) || isValidSchemaAttribute(key, schema);
 
+    if (!validKey) {
+      removeOperator(key);
+    }
     // Handle attributes
-    if (attribute) {
+    else if (attribute) {
       // Relations
       if (attribute.type === 'relation') {
         filters[key] = convertAndSanitizeFilters(value, strapi.getModel(attribute.target));

package/lib/index.js

@@ -28,7 +28,6 @@ const { removeUndefined, keysDeep } = require('./object-formatting');
 const { getConfigUrls, getAbsoluteAdminUrl, getAbsoluteServerUrl } = require('./config');
 const { generateTimestampCode } = require('./code-generator');
 const contentTypes = require('./content-types');
-const webhook = require('./webhook');
 const env = require('./env-helper');
 const relations = require('./relations');
 const setCreatorFields = require('./set-creator-fields');
@@ -43,6 +42,7 @@ const importDefault = require('./import-default');
 const template = require('./template');
 const file = require('./file');
 const traverse = require('./traverse');
+const { isOperator, isOperatorOfType } = require('./operators');
 
 module.exports = {
   yup,
@@ -75,7 +75,6 @@ module.exports = {
   isCamelCase,
   toKebabCase,
   contentTypes,
-  webhook,
   env,
   relations,
   setCreatorFields,
@@ -93,4 +92,6 @@ module.exports = {
   importDefault,
   file,
   traverse,
+  isOperator,
+  isOperatorOfType,
 };

package/lib/operators.js

@@ -0,0 +1,74 @@
+'use strict';
+
+const GROUP_OPERATORS = ['$and', '$or'];
+
+const WHERE_OPERATORS = [
+  '$not',
+  '$in',
+  '$notIn',
+  '$eq',
+  '$eqi',
+  '$ne',
+  '$gt',
+  '$gte',
+  '$lt',
+  '$lte',
+  '$null',
+  '$notNull',
+  '$between',
+  '$startsWith',
+  '$endsWith',
+  '$startsWithi',
+  '$endsWithi',
+  '$contains',
+  '$notContains',
+  '$containsi',
+  '$notContainsi',
+];
+
+const CAST_OPERATORS = [
+  '$not',
+  '$in',
+  '$notIn',
+  '$eq',
+  '$ne',
+  '$gt',
+  '$gte',
+  '$lt',
+  '$lte',
+  '$between',
+];
+
+const ARRAY_OPERATORS = ['$in', '$notIn', '$between'];
+
+const OPERATORS = {
+  where: WHERE_OPERATORS,
+  cast: CAST_OPERATORS,
+  group: GROUP_OPERATORS,
+  array: ARRAY_OPERATORS,
+};
+
+// for performance, cache all operators in lowercase
+const OPERATORS_LOWERCASE = Object.fromEntries(
+  Object.entries(OPERATORS).map(([key, values]) => [
+    key,
+    values.map((value) => value.toLowerCase()),
+  ])
+);
+
+const isOperatorOfType = (type, key, ignoreCase = false) => {
+  if (ignoreCase) {
+    return OPERATORS_LOWERCASE[type]?.includes(key.toLowerCase()) ?? false;
+  }
+  return OPERATORS[type]?.includes(key) ?? false;
+};
+
+const isOperator = (key, ignoreCase = false) => {
+  return Object.keys(OPERATORS).some((type) => isOperatorOfType(type, key, ignoreCase));
+};
+
+module.exports = {
+  isOperator,
+  isOperatorOfType,
+  OPERATORS,
+};

package/lib/sanitize/sanitizers.js

@@ -19,6 +19,7 @@ const {
   removeDynamicZones,
   removeMorphToRelations,
 } = require('./visitors');
+const { isOperator } = require('../operators');
 
 const sanitizePasswords = (schema) => async (entity) => {
   return traverseEntity(removePassword, { schema }, entity);
@@ -37,6 +38,17 @@ const defaultSanitizeOutput = async (schema, entity) => {
 
 const defaultSanitizeFilters = curry((schema, filters) => {
   return pipeAsync(
+    // Remove keys that are not attributes or valid operators
+    traverseQueryFilters(
+      ({ key, attribute }, { remove }) => {
+        const isAttribute = !!attribute;
+
+        if (!isAttribute && !isOperator(key) && key !== 'id') {
+          remove(key);
+        }
+      },
+      { schema }
+    ),
     // Remove dynamic zones from filters
     traverseQueryFilters(removeDynamicZones, { schema }),
     // Remove morpTo relations from filters

package/lib/sanitize/visitors/remove-private.js

@@ -7,7 +7,7 @@ module.exports = ({ schema, key, attribute }, { remove }) => {
     return;
   }
 
-  const isPrivate = isPrivateAttribute(schema, key) || attribute.private === true;
+  const isPrivate = attribute.private === true || isPrivateAttribute(schema, key);
 
   if (isPrivate) {
     remove(key);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/utils",
-  "version": "4.11.0-beta.1",
+  "version": "4.11.0-exp.9xg4-3qfm-9w8f.1",
   "description": "Shared utilities for the Strapi packages",
   "keywords": [
     "strapi",
@@ -49,5 +49,5 @@
     "node": ">=14.19.1 <=18.x.x",
     "npm": ">=6.0.0"
   },
-  "gitHead": "a5fa3bd7e1c4680dd350580620d383612597d25d"
+  "gitHead": "54c4fa25b2706612f85aaf103f54c071c281f23b"
 }

package/lib/webhook.js

@@ -1,16 +0,0 @@
-'use strict';
-
-const webhookEvents = {
-  ENTRY_CREATE: 'entry.create',
-  ENTRY_UPDATE: 'entry.update',
-  ENTRY_DELETE: 'entry.delete',
-  ENTRY_PUBLISH: 'entry.publish',
-  ENTRY_UNPUBLISH: 'entry.unpublish',
-  MEDIA_CREATE: 'media.create',
-  MEDIA_UPDATE: 'media.update',
-  MEDIA_DELETE: 'media.delete',
-};
-
-module.exports = {
-  webhookEvents,
-};