directus 9.12.0 → 9.13.0

package/dist/utils/get-string-byte-size.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Returns the byte size for a given input string
+ */
+export declare function stringByteSize(string: string): number;

package/dist/utils/get-string-byte-size.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stringByteSize = void 0;
+/**
+ * Returns the byte size for a given input string
+ */
+function stringByteSize(string) {
+    return Buffer.byteLength(string, 'utf-8');
+}
+exports.stringByteSize = stringByteSize;

package/dist/utils/job-queue.d.ts

@@ -0,0 +1,9 @@
+declare type Job = () => Promise<void> | void;
+export declare class JobQueue {
+    private running;
+    private jobs;
+    constructor();
+    enqueue(job: Job): void;
+    private run;
+}
+export {};

package/dist/utils/job-queue.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JobQueue = void 0;
+class JobQueue {
+    constructor() {
+        this.running = false;
+        this.jobs = [];
+    }
+    enqueue(job) {
+        this.jobs.push(job);
+        if (!this.running) {
+            this.run();
+        }
+    }
+    async run() {
+        this.running = true;
+        while (this.jobs.length > 0) {
+            const job = this.jobs.shift();
+            await job();
+        }
+        this.running = false;
+    }
+}
+exports.JobQueue = JobQueue;

package/dist/utils/jwt.js

@@ -1,7 +1,11 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];

package/dist/utils/sanitize-query.js

@@ -8,7 +8,6 @@ const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
 const logger_1 = __importDefault(require("../logger"));
 const types_1 = require("../types");
-const parse_json_1 = require("./parse-json");
 function sanitizeQuery(rawQuery, accountability) {
     const query = {};
     if (rawQuery.limit !== undefined) {
@@ -83,7 +82,7 @@ function sanitizeAggregate(rawAggregate) {
     let aggregate = rawAggregate;
     if (typeof rawAggregate === 'string') {
         try {
-            aggregate = (0, parse_json_1.parseJSON)(rawAggregate);
+            aggregate = (0, utils_1.parseJSON)(rawAggregate);
         }
         catch {
             logger_1.default.warn('Invalid value passed for filter query parameter.');
@@ -101,7 +100,7 @@ function sanitizeFilter(rawFilter, accountability) {
     let filters = rawFilter;
     if (typeof rawFilter === 'string') {
         try {
-            filters = (0, parse_json_1.parseJSON)(rawFilter);
+            filters = (0, utils_1.parseJSON)(rawFilter);
         }
         catch {
             logger_1.default.warn('Invalid value passed for filter query parameter.');
@@ -136,7 +135,7 @@ function sanitizeDeep(deep, accountability) {
     const result = {};
     if (typeof deep === 'string') {
         try {
-            deep = (0, parse_json_1.parseJSON)(deep);
+            deep = (0, utils_1.parseJSON)(deep);
         }
         catch {
             logger_1.default.warn('Invalid value passed for deep query parameter.');
@@ -170,7 +169,7 @@ function sanitizeAlias(rawAlias) {
     let alias = rawAlias;
     if (typeof rawAlias === 'string') {
         try {
-            alias = (0, parse_json_1.parseJSON)(rawAlias);
+            alias = (0, utils_1.parseJSON)(rawAlias);
         }
         catch (err) {
             logger_1.default.warn('Invalid value passed for alias query parameter.');

package/dist/utils/validate-query.js

@@ -8,6 +8,8 @@ const joi_1 = __importDefault(require("joi"));
 const lodash_1 = require("lodash");
 const exceptions_1 = require("../exceptions");
 const wellknown_1 = require("wellknown");
+const calculate_field_depth_1 = require("./calculate-field-depth");
+const env_1 = __importDefault(require("../env"));
 const querySchema = joi_1.default.object({
     fields: joi_1.default.array().items(joi_1.default.string()),
     group: joi_1.default.array().items(joi_1.default.string()),
@@ -31,6 +33,7 @@ function validateQuery(query) {
     if (query.alias) {
         validateAlias(query.alias);
     }
+    validateRelationalDepth(query);
     if (error) {
         throw new exceptions_1.InvalidQueryException(error.message);
     }
@@ -153,3 +156,50 @@ function validateAlias(alias) {
         }
     }
 }
+function validateRelationalDepth(query) {
+    const maxRelationalDepth = Number(env_1.default.MAX_RELATIONAL_DEPTH) > 2 ? Number(env_1.default.MAX_RELATIONAL_DEPTH) : 2;
+    // Process the fields in the same way as api/src/utils/get-ast-from-query.ts
+    let fields = ['*'];
+    if (query.fields) {
+        fields = query.fields;
+    }
+    /**
+     * When using aggregate functions, you can't have any other regular fields
+     * selected. This makes sure you never end up in a non-aggregate fields selection error
+     */
+    if (Object.keys(query.aggregate || {}).length > 0) {
+        fields = [];
+    }
+    /**
+     * Similarly, when grouping on a specific field, you can't have other non-aggregated fields.
+     * The group query will override the fields query
+     */
+    if (query.group) {
+        fields = query.group;
+    }
+    fields = (0, lodash_1.uniq)(fields);
+    for (const field of fields) {
+        if (field.split('.').length > maxRelationalDepth) {
+            throw new exceptions_1.InvalidQueryException('Max relational depth exceeded.');
+        }
+    }
+    if (query.filter) {
+        const filterRelationalDepth = (0, calculate_field_depth_1.calculateFieldDepth)(query.filter);
+        if (filterRelationalDepth > maxRelationalDepth) {
+            throw new exceptions_1.InvalidQueryException('Max relational depth exceeded.');
+        }
+    }
+    if (query.sort) {
+        for (const sort of query.sort) {
+            if (sort.split('.').length > maxRelationalDepth) {
+                throw new exceptions_1.InvalidQueryException('Max relational depth exceeded.');
+            }
+        }
+    }
+    if (query.deep) {
+        const deepRelationalDepth = (0, calculate_field_depth_1.calculateFieldDepth)(query.deep, ['_sort']);
+        if (deepRelationalDepth > maxRelationalDepth) {
+            throw new exceptions_1.InvalidQueryException('Max relational depth exceeded.');
+        }
+    }
+}

package/dist/webhooks.js

@@ -11,13 +11,17 @@ const logger_1 = __importDefault(require("./logger"));
 const services_1 = require("./services");
 const get_schema_1 = require("./utils/get-schema");
 const messenger_1 = require("./messenger");
+const job_queue_1 = require("./utils/job-queue");
 let registered = [];
+const reloadQueue = new job_queue_1.JobQueue();
 async function init() {
     await register();
     const messenger = (0, messenger_1.getMessenger)();
     messenger.subscribe('webhooks', (event) => {
         if (event.type === 'reload') {
-            reload();
+            reloadQueue.enqueue(async () => {
+                await reload();
+            });
         }
     });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "directus",
-	"version": "9.12.0",
+	"version": "9.13.0",
 	"license": "GPL-3.0-only",
 	"homepage": "https://github.com/directus/directus#readme",
 	"description": "Directus is a real-time API and App dashboard for managing SQL database content.",
@@ -76,86 +76,88 @@
 		"README.md"
 	],
 	"dependencies": {
-		"@aws-sdk/client-ses": "^3.40.0",
-		"@directus/app": "9.12.0",
-		"@directus/drive": "9.12.0",
-		"@directus/drive-azure": "9.12.0",
-		"@directus/drive-gcs": "9.12.0",
-		"@directus/drive-s3": "9.12.0",
-		"@directus/extensions-sdk": "9.12.0",
-		"@directus/format-title": "9.12.0",
-		"@directus/schema": "9.12.0",
-		"@directus/shared": "9.12.0",
-		"@directus/specs": "9.12.0",
-		"@godaddy/terminus": "^4.9.0",
+		"@aws-sdk/client-ses": "^3.107.0",
+		"@directus/app": "9.13.0",
+		"@directus/drive": "9.13.0",
+		"@directus/drive-azure": "9.13.0",
+		"@directus/drive-gcs": "9.13.0",
+		"@directus/drive-s3": "9.13.0",
+		"@directus/extensions-sdk": "9.13.0",
+		"@directus/format-title": "9.13.0",
+		"@directus/schema": "9.13.0",
+		"@directus/shared": "9.13.0",
+		"@directus/specs": "9.13.0",
+		"@godaddy/terminus": "^4.10.2",
 		"@rollup/plugin-alias": "^3.1.9",
-		"@rollup/plugin-virtual": "^2.0.3",
-		"argon2": "^0.28.2",
-		"async": "^3.2.0",
-		"async-mutex": "^0.3.1",
-		"axios": "^0.24.0",
-		"busboy": "^0.3.1",
+		"@rollup/plugin-virtual": "^2.1.0",
+		"argon2": "^0.28.5",
+		"async": "^3.2.4",
+		"async-mutex": "^0.3.2",
+		"axios": "^0.27.2",
+		"busboy": "^1.6.0",
+		"bytes": "^3.1.2",
 		"camelcase": "^6.2.0",
 		"chalk": "^4.1.1",
-		"chokidar": "^3.5.2",
+		"chokidar": "^3.5.3",
 		"commander": "^8.0.0",
-		"cookie-parser": "^1.4.5",
+		"cookie-parser": "^1.4.6",
 		"cors": "^2.8.5",
 		"csv-parser": "^3.0.0",
-		"date-fns": "^2.22.1",
+		"date-fns": "^2.28.0",
 		"deep-diff": "^1.0.2",
 		"deep-map": "^2.0.0",
-		"destroy": "^1.0.4",
+		"destroy": "^1.2.0",
 		"dotenv": "^10.0.0",
-		"eventemitter2": "^6.4.3",
+		"eventemitter2": "^6.4.5",
 		"execa": "^5.1.1",
-		"exifr": "^7.1.2",
-		"express": "^4.17.1",
+		"exifr": "^7.1.3",
+		"express": "^4.18.1",
 		"fast-redact": "^3.1.1",
 		"flat": "^5.0.2",
-		"fs-extra": "^10.0.0",
+		"fs-extra": "^10.1.0",
 		"globby": "^11.0.4",
 		"graphql": "^15.5.0",
-		"graphql-compose": "^9.0.1",
+		"graphql-compose": "^9.0.8",
 		"helmet": "^4.6.0",
-		"inquirer": "^8.1.1",
-		"joi": "^17.3.0",
+		"inquirer": "^8.2.4",
+		"ioredis": "^4.27.6",
+		"joi": "^17.6.0",
 		"js-yaml": "^4.1.0",
-		"js2xmlparser": "^4.0.1",
-		"json2csv": "^5.0.3",
+		"js2xmlparser": "^4.0.2",
+		"json2csv": "^5.0.7",
 		"jsonwebtoken": "^8.5.1",
-		"keyv": "^4.0.3",
-		"knex": "^2.0.0",
-		"knex-schema-inspector": "1.7.3",
-		"ldapjs": "^2.3.1",
-		"liquidjs": "^9.25.0",
+		"keyv": "^4.3.0",
+		"knex": "^2.1.0",
+		"knex-schema-inspector": "^2.0.1",
+		"ldapjs": "^2.3.3",
+		"liquidjs": "^9.37.0",
 		"lodash": "^4.17.21",
 		"macos-release": "^2.4.1",
-		"marked": "^4.0.3",
+		"marked": "^4.0.16",
 		"micromustache": "^8.0.3",
-		"mime-types": "^2.1.31",
+		"mime-types": "^2.1.35",
 		"ms": "^2.1.3",
 		"nanoid": "^3.1.23",
-		"node-cron": "^3.0.0",
+		"node-cron": "^3.0.1",
 		"node-machine-id": "^1.1.12",
-		"nodemailer": "^6.6.1",
+		"nodemailer": "^6.7.5",
 		"object-hash": "^2.2.0",
-		"openapi3-ts": "^2.0.0",
-		"openid-client": "^5.0.0",
+		"openapi3-ts": "^2.0.2",
+		"openid-client": "^5.1.6",
 		"ora": "^5.4.0",
 		"otplib": "^12.0.1",
 		"pino": "6.13.3",
-		"pino-colada": "^2.1.0",
+		"pino-colada": "^2.2.2",
 		"pino-http": "5.8.0",
-		"qs": "^6.9.4",
-		"rate-limiter-flexible": "^2.2.2",
+		"qs": "^6.10.5",
+		"rate-limiter-flexible": "^2.3.7",
 		"resolve-cwd": "^3.0.0",
-		"rollup": "^2.67.3",
-		"sanitize-html": "^2.6.0",
-		"sharp": "^0.30.3",
-		"stream-json": "^1.7.1",
+		"rollup": "^2.75.6",
+		"sanitize-html": "^2.7.0",
+		"sharp": "^0.30.6",
+		"stream-json": "^1.7.4",
 		"strip-bom-stream": "^4.0.0",
-		"supertest": "^6.1.6",
+		"supertest": "^6.2.3",
 		"tmp-promise": "^3.0.3",
 		"update-check": "^1.5.4",
 		"uuid": "^8.3.2",
@@ -163,22 +165,21 @@
 		"wellknown": "^0.5.0"
 	},
 	"optionalDependencies": {
-		"@keyv/redis": "^2.1.2",
-		"ioredis": "^4.27.6",
+		"@keyv/redis": "^2.3.6",
 		"keyv-memcache": "^1.2.5",
 		"memcached": "^2.2.2",
 		"mysql": "^2.18.1",
-		"nodemailer-mailgun-transport": "^2.1.3",
-		"pg": "^8.6.0",
-		"sqlite3": "^5.0.6",
+		"nodemailer-mailgun-transport": "^2.1.4",
+		"pg": "^8.7.3",
+		"sqlite3": "^5.0.8",
 		"tedious": "^13.0.0"
 	},
-	"gitHead": "4d63fba50a7cf199e89423365a515e99cecf4ebf",
+	"gitHead": "fd55233b1124a2887e04e4418f04c7a7b94398b7",
 	"devDependencies": {
-		"@types/async": "3.2.10",
+		"@types/async": "3.2.13",
 		"@types/body-parser": "1.19.2",
-		"@types/busboy": "0.3.1",
-		"@types/cookie-parser": "1.4.2",
+		"@types/busboy": "1.5.0",
+		"@types/cookie-parser": "1.4.3",
 		"@types/cors": "2.8.12",
 		"@types/deep-diff": "1.0.1",
 		"@types/destroy": "1.0.0",
@@ -188,16 +189,16 @@
 		"@types/fast-redact": "^3.0.1",
 		"@types/flat": "5.0.2",
 		"@types/fs-extra": "9.0.13",
-		"@types/inquirer": "8.1.3",
+		"@types/inquirer": "8.2.1",
 		"@types/ioredis": "^4.28.10",
 		"@types/jest": "27.4.1",
 		"@types/js-yaml": "4.0.5",
 		"@types/json2csv": "5.0.3",
-		"@types/jsonwebtoken": "8.5.6",
-		"@types/keyv": "3.1.3",
+		"@types/jsonwebtoken": "8.5.8",
+		"@types/keyv": "3.1.4",
 		"@types/ldapjs": "2.2.2",
-		"@types/lodash": "4.14.177",
-		"@types/marked": "4.0.1",
+		"@types/lodash": "4.14.182",
+		"@types/marked": "4.0.3",
 		"@types/mime-types": "2.1.1",
 		"@types/ms": "0.7.31",
 		"@types/node": "16.11.9",
@@ -205,22 +206,22 @@
 		"@types/nodemailer": "6.4.4",
 		"@types/object-hash": "2.2.1",
 		"@types/pino": "6.3.12",
-		"@types/pino-http": "5.8.0",
+		"@types/pino-http": "5.8.1",
 		"@types/qs": "6.9.7",
-		"@types/sanitize-html": "2.5.0",
-		"@types/sharp": "0.29.4",
-		"@types/stream-json": "1.7.1",
-		"@types/supertest": "2.0.11",
-		"@types/uuid": "8.3.3",
+		"@types/sanitize-html": "2.6.2",
+		"@types/sharp": "0.30.4",
+		"@types/stream-json": "1.7.2",
+		"@types/supertest": "2.0.12",
+		"@types/uuid": "8.3.4",
 		"@types/uuid-validate": "0.0.1",
-		"@types/wellknown": "0.5.1",
+		"@types/wellknown": "0.5.3",
 		"copyfiles": "2.4.1",
 		"cross-env": "7.0.3",
 		"form-data": "^4.0.0",
 		"jest": "27.5.1",
-		"knex-mock-client": "1.7.0",
+		"knex-mock-client": "1.8.4",
 		"ts-jest": "27.1.3",
 		"ts-node-dev": "1.1.8",
-		"typescript": "4.5.2"
+		"typescript": "4.7.3"
 	}
 }

package/dist/utils/operation-options.d.ts

@@ -1,3 +0,0 @@
-export declare function applyOperationOptions(options: Record<string, any>, data: Record<string, any>): Record<string, any>;
-export declare function optionToObject<T>(option: T): Exclude<T, string>;
-export declare function optionToString(option: unknown): string;

package/dist/utils/operation-options.js

@@ -1,45 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.optionToString = exports.optionToObject = exports.applyOperationOptions = void 0;
-const micromustache_1 = require("micromustache");
-const parse_json_1 = require("./parse-json");
-function resolveFn(path, scope) {
-    if (!scope)
-        return undefined;
-    const value = (0, micromustache_1.get)(scope, path);
-    return typeof value === 'object' ? JSON.stringify(value) : value;
-}
-function renderMustache(item, scope) {
-    if (typeof item === 'string') {
-        return (0, micromustache_1.renderFn)(item, resolveFn, scope, { explicit: true });
-    }
-    else if (Array.isArray(item)) {
-        return item.map((element) => renderMustache(element, scope));
-    }
-    else if (typeof item === 'object' && item !== null) {
-        return Object.fromEntries(Object.entries(item).map(([key, value]) => [key, renderMustache(value, scope)]));
-    }
-    else {
-        return item;
-    }
-}
-function applyOperationOptions(options, data) {
-    return Object.fromEntries(Object.entries(options).map(([key, value]) => {
-        if (typeof value === 'string') {
-            const single = value.match(/^\{\{\s*([^}\s]+)\s*\}\}$/);
-            if (single !== null) {
-                return [key, (0, micromustache_1.get)(data, single[1])];
-            }
-        }
-        return [key, renderMustache(value, data)];
-    }));
-}
-exports.applyOperationOptions = applyOperationOptions;
-function optionToObject(option) {
-    return typeof option === 'string' ? (0, parse_json_1.parseJSON)(option) : option;
-}
-exports.optionToObject = optionToObject;
-function optionToString(option) {
-    return typeof option === 'object' ? JSON.stringify(option) : String(option);
-}
-exports.optionToString = optionToString;

package/dist/utils/parse-json.d.ts

@@ -1,5 +0,0 @@
-/**
- * Run JSON.parse, but ignore `__proto__` properties. This prevents prototype pollution attacks
- */
-export declare function parseJSON(input: string): any;
-export declare function noproto<T>(key: string, value: T): T | void;

package/dist/utils/parse-json.js

@@ -1,19 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noproto = exports.parseJSON = void 0;
-/**
- * Run JSON.parse, but ignore `__proto__` properties. This prevents prototype pollution attacks
- */
-function parseJSON(input) {
-    if (String(input).includes('__proto__')) {
-        return JSON.parse(input, noproto);
-    }
-    return JSON.parse(input);
-}
-exports.parseJSON = parseJSON;
-function noproto(key, value) {
-    if (key !== '__proto__') {
-        return value;
-    }
-}
-exports.noproto = noproto;