ac-sanitizer 4.0.0 → 4.0.2

package/.github/workflows/node.js.yml

@@ -0,0 +1,30 @@
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Node.js CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [16.x, 18.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    - run: yarn install
+    - run: yarn run test

package/CHANGELOG.md

@@ -1,3 +1,43 @@
+<a name="4.0.2"></a>
+
+## [4.0.2](https://github.com/mmpro/ac-sanitizer/compare/v4.0.1..v4.0.2) (2023-06-18 11:35:24)
+
+
+### Bug Fix
+
+* **App:** If base64 is an object, parse the converted string | MP | [cf9a49d9df121c7829932ae37192fd22f3d98438](https://github.com/mmpro/ac-sanitizer/commit/cf9a49d9df121c7829932ae37192fd22f3d98438)    
+Base64 might be a string or a stringified object. Try parsing the string to determine if it is an object  
+Related issues: [undefined/undefined#master](undefined/browse/master)
+### Chores
+
+* **App:** Updated packages | MP | [49da6b224e9382aa7cc6a298b2a0af06648931b8](https://github.com/mmpro/ac-sanitizer/commit/49da6b224e9382aa7cc6a298b2a0af06648931b8)    
+Updated packages  
+Related issues: [undefined/undefined#master](undefined/browse/master)
+### Chores
+
+* **App:** Add Github workflow | MP | [72668a139dda85330516077ef471af4aa4b68c3b](https://github.com/mmpro/ac-sanitizer/commit/72668a139dda85330516077ef471af4aa4b68c3b)    
+Add Github workflow  
+Related issues: [undefined/undefined#master](undefined/browse/master)
+<a name="4.0.1"></a>
+
+## [4.0.1](https://github.com/mmpro/ac-sanitizer/compare/v4.0.0..v4.0.1) (2023-04-18 18:38:15)
+
+
+### Bug Fix
+
+* **App:** Sanitize array of objects | MP | [c00ea6869a250672b1af1f1c1520223686cc59b9](https://github.com/mmpro/ac-sanitizer/commit/c00ea6869a250672b1af1f1c1520223686cc59b9)    
+Make sure to sanitize (remove non-defined properties from) array of objects  
+Related issues: [undefined/undefined#master](undefined/browse/master)
+### Tests
+
+* **App:** Added test for array of objects | MP | [7c3b698a09ef48398b95fdacc22542b14ef5cd30](https://github.com/mmpro/ac-sanitizer/commit/7c3b698a09ef48398b95fdacc22542b14ef5cd30)    
+Added test for array of objects  
+Related issues: [undefined/undefined#master](undefined/browse/master)
+### Chores
+
+* **App:** Updated packages | MP | [40d542dced814eebb74d384d999532f3e1c718ed](https://github.com/mmpro/ac-sanitizer/commit/40d542dced814eebb74d384d999532f3e1c718ed)    
+Updated packages  
+Related issues: [undefined/undefined#master](undefined/browse/master)
 <a name="4.0.0"></a>
 
 ## [4.0.0](https://github.com/mmpro/ac-sanitizer/compare/v3.10.7..v4.0.0) (2023-03-30 16:00:08)

package/README.md

@@ -1,6 +1,8 @@
 # AC Sanitizer
 Sanitizes  payloads with given field definitions
 
+[![Node.js CI](https://github.com/AdmiralCloud/ac-sanitizer/actions/workflows/node.js.yml/badge.svg)](https://github.com/AdmiralCloud/ac-sanitizer/actions/workflows/node.js.yml)
+
 ### Version 4 - Breaking changes
 Version 4 requires Node 16.
 

package/index.js

@@ -265,7 +265,7 @@ const sanitizer = function() {
         else if (field.minSize && _.size(value) < field.minSize) error = { message: fieldName + '_minSizeBoundary', additionalInfo: { minSize: field.minSize } }
         else if (field.valueType) {
           // very value of the array must be of this type
-          _.every(value, v => {
+          _.every(value, (v, index, value) => {
             const fieldsToCheck = {
               params: {},
               fields: [{ field: fieldName, type: _.get(field, 'valueType'), properties: _.get(field, 'properties'), wildcardAllowed: _.get(field, 'wildcardAllowed') }]
@@ -276,6 +276,8 @@ const sanitizer = function() {
               error = { message: fieldName + '_atLeastOneValueFailed', additionalInfo: { error: _.get(check, 'error'), value: v, type: _.get(field, 'valueType') } }
               return false
             }
+            // set the sanitized value
+            value[index] = _.get(check, `params.${fieldName}`)
             return true
           })
         }
@@ -328,6 +330,13 @@ const sanitizer = function() {
           if (!validator.isBase64(_.padEnd(value, (l+pad), '='))) error = { message: fieldName + '_notABase64String' }
           else if (field.convert) {
             _.set(paramsToCheck, fieldName, Buffer.from(value, 'base64').toString())
+            // the value might be a stringified object - try converting it
+            try {
+              _.set(paramsToCheck, fieldName, JSON.parse(_.get(paramsToCheck, fieldName)))
+            } 
+            catch(e) {
+              // ignore
+            }
           }
         }
       }

package/package.json

@@ -4,21 +4,21 @@
   "author": "Mark Poepping (https://www.admiralcloud.com)",
   "license": "MIT",
   "repository": "admiralcloud/ac-sanitizer",
-  "version": "4.0.0",
+  "version": "4.0.2",
   "homepage": "https://www.admiralcloud.com",
   "dependencies": {
     "ac-countrylist": "^1.0.7",
     "ac-file-extensions": "^2.0.5",
     "ac-ip": "^3.0.1",
     "chai": "^4.3.7",
-    "date-and-time": "^2.4.3",
-    "hashids": "^2.2.11",
+    "date-and-time": "^3.0.2",
+    "hashids": "^2.3.0",
     "lodash": "^4.17.21",
     "validator": "^13.9.0"
   },
   "devDependencies": {
-    "ac-semantic-release": "^0.3.5",
-    "eslint": "^8.37.0",
+    "ac-semantic-release": "^0.4.1",
+    "eslint": "^8.43.0",
     "mocha": "^10.2.0",
     "nyc": "^15.1.0"
   },

package/test/tests/array.js

@@ -30,6 +30,13 @@ module.exports = {
       { name: 'Array of fileExtensions - contains invalid', type: 'array', valueType: 'fileExtension', value: ['jpg', 'textimage'], error: 'array_atLeastOneValueFailed' },
       { name: 'Array of objects - valid', type: 'array', value: [{ 'createdAt': 'asc' }], enum: [{ 'createdAt': 'asc' }], expected: [{ 'createdAt': 'asc' }] },
       { name: 'Array of objects - invalid', type: 'array', value: [{ 'createdAt': 'desc' }], enum: [{ 'createdAt': 'asc' }], error: 'array_notAnAllowedValue' },
+      { name: 'Array of objects - check that object payload is sanitized', 
+        type: 'array', 
+        valueType: 'object', 
+        properties: [{ field: 'p1', type: 'string' }], 
+        value: [{ p1: 'isAString', p2: 'shouldBeRemoved' }, { p1: 'isAString2', p2: 'shouldBeRemoved2' }],
+        expected: [{ p1: 'isAString' },  { p1: 'isAString2' }]
+      }
     ]
 
 
@@ -40,7 +47,7 @@ module.exports = {
             array: _.get(test, 'value')
           },
           fields: [
-            { field: 'array', type: _.get(test, 'type'), required: _.get(test, 'required'), valueType: _.get(test, 'valueType'), minSize: _.get(test, 'minSize'), maxSize: _.get(test, 'maxSize') }
+            { field: 'array', type: _.get(test, 'type'), required: _.get(test, 'required'), valueType: _.get(test, 'valueType'), minSize: _.get(test, 'minSize'), maxSize: _.get(test, 'maxSize'), properties: _.get(test, "properties")}
           ]
         }
         if (test.enum) {

package/test/tests/base64.js

@@ -13,6 +13,8 @@ module.exports = {
       { name: 'Invalid base64 with convert', type: 'base64', convert: true, value: 123, error: 'base64_mustBeString' },
       { name: 'Base64 app.admiralcloud.com - requires padding', type: 'base64', value: 'aHR0cHM6Ly9hcHAuYWRtaXJhbGNsb3VkLmNvbQ', convert: true, expected: 'https://app.admiralcloud.com' },
       { name: 'Base64 app.admiralcloud.com - with padding', type: 'base64', value: 'aHR0cHM6Ly9hcHAuYWRtaXJhbGNsb3VkLmNvbQ==', convert: true, expected: 'https://app.admiralcloud.com' },
+      { name: 'Base64 encoded object', type: 'base64', value: 'eyJ1c2VySWQiOjEyMywiY3VzdG9tZXJJZCI6MTQ2LCJyZWFzb24iOiJCZWNhdXNlIEkgY2FuIn0=', convert: true, expected: { userId: 123, customerId: 146, reason: 'Because I can' } },
+      { name: 'Base64 encoded object', type: 'base64', value: 'eyJ1c2VySWQiOjEyMywiY3VzdG9tZXJJZCI6MTQ2LCJyZWFzbOiJCZWNhdXNlIEkgY2FuIn0=', convert: true, error: 'base64_notABase64String' },
     ]
 
     _.forEach(baseTests, (test) => {
@@ -34,7 +36,7 @@ module.exports = {
           }
         }
         else {
-          expect(_.get(r, 'params.base64')).to.equal(_.get(test, 'expected'))
+          expect(_.get(r, 'params.base64')).to.eql(_.get(test, 'expected'))
         }
         return done()
       })

package/test/tests/object.js

@@ -33,6 +33,26 @@ module.exports = {
           enum: "blue",
         },
       },
+      {
+        name: "Object with non-allowed properties - should be removed from payload by sanitizer",
+        type: "object",
+        properties: [
+          { field: "settings", type: "object", properties:[
+            { field: 'allowed', type: 'boolean' }
+          ] },
+        ],
+        value: {
+          settings: {
+            allowed: true,
+            notAllowed: true
+          }
+        },
+        expected: {
+          settings: {
+            allowed: true
+          }
+        }
+      },
       {
         name: "Object with non-allowed properties - do not ignore in strict mode",
         type: "object",