directus 9.5.2 → 9.7.1

package/dist/exceptions/database/dialects/mysql.js

@@ -38,6 +38,7 @@ function extractError(error) {
 }
 exports.extractError = extractError;
 function uniqueViolation(error) {
+    var _a, _b, _c, _d, _e;
     const betweenQuotes = /'([^']+)'/g;
     const matches = error.sqlMessage.match(betweenQuotes);
     if (!matches)
@@ -49,13 +50,13 @@ function uniqueViolation(error) {
      */
     /** MySQL 8+ style error message */
     if (matches[1].includes('.')) {
-        const collection = matches[1].slice(1, -1).split('.')[0];
+        const collection = (_a = matches[1]) === null || _a === void 0 ? void 0 : _a.slice(1, -1).split('.')[0];
         let field = null;
-        const indexName = matches[1].slice(1, -1).split('.')[1];
+        const indexName = (_b = matches[1]) === null || _b === void 0 ? void 0 : _b.slice(1, -1).split('.')[1];
         if ((indexName === null || indexName === void 0 ? void 0 : indexName.startsWith(`${collection}_`)) && indexName.endsWith('_unique')) {
-            field = indexName.slice(collection.length + 1, -7);
+            field = indexName === null || indexName === void 0 ? void 0 : indexName.slice(collection.length + 1, -7);
         }
-        const invalid = matches[0].slice(1, -1);
+        const invalid = (_c = matches[0]) === null || _c === void 0 ? void 0 : _c.slice(1, -1);
         return new record_not_unique_1.RecordNotUniqueException(field, {
             collection,
             field,
@@ -64,13 +65,13 @@ function uniqueViolation(error) {
     }
     else {
         /** MySQL 5.7 style error message */
-        const indexName = matches[1].slice(1, -1);
+        const indexName = (_d = matches[1]) === null || _d === void 0 ? void 0 : _d.slice(1, -1);
         const collection = indexName.split('_')[0];
         let field = null;
         if ((indexName === null || indexName === void 0 ? void 0 : indexName.startsWith(`${collection}_`)) && indexName.endsWith('_unique')) {
-            field = indexName.slice(collection.length + 1, -7);
+            field = indexName === null || indexName === void 0 ? void 0 : indexName.slice(collection.length + 1, -7);
         }
-        const invalid = matches[0].slice(1, -1);
+        const invalid = (_e = matches[0]) === null || _e === void 0 ? void 0 : _e.slice(1, -1);
         return new record_not_unique_1.RecordNotUniqueException(field, {
             collection,
             field,
@@ -79,57 +80,61 @@ function uniqueViolation(error) {
     }
 }
 function numericValueOutOfRange(error) {
+    var _a, _b;
     const betweenTicks = /`([^`]+)`/g;
     const betweenQuotes = /'([^']+)'/g;
     const tickMatches = error.sql.match(betweenTicks);
     const quoteMatches = error.sqlMessage.match(betweenQuotes);
     if (!tickMatches || !quoteMatches)
         return error;
-    const collection = tickMatches[0].slice(1, -1);
-    const field = quoteMatches[0].slice(1, -1);
+    const collection = (_a = tickMatches[0]) === null || _a === void 0 ? void 0 : _a.slice(1, -1);
+    const field = (_b = quoteMatches[0]) === null || _b === void 0 ? void 0 : _b.slice(1, -1);
     return new value_out_of_range_1.ValueOutOfRangeException(field, {
         collection,
         field,
     });
 }
 function valueLimitViolation(error) {
+    var _a, _b;
     const betweenTicks = /`([^`]+)`/g;
     const betweenQuotes = /'([^']+)'/g;
     const tickMatches = error.sql.match(betweenTicks);
     const quoteMatches = error.sqlMessage.match(betweenQuotes);
     if (!tickMatches || !quoteMatches)
         return error;
-    const collection = tickMatches[0].slice(1, -1);
-    const field = quoteMatches[0].slice(1, -1);
+    const collection = (_a = tickMatches[0]) === null || _a === void 0 ? void 0 : _a.slice(1, -1);
+    const field = (_b = quoteMatches[0]) === null || _b === void 0 ? void 0 : _b.slice(1, -1);
     return new value_too_long_1.ValueTooLongException(field, {
         collection,
         field,
     });
 }
 function notNullViolation(error) {
+    var _a, _b;
     const betweenTicks = /`([^`]+)`/g;
     const betweenQuotes = /'([^']+)'/g;
     const tickMatches = error.sql.match(betweenTicks);
     const quoteMatches = error.sqlMessage.match(betweenQuotes);
     if (!tickMatches || !quoteMatches)
         return error;
-    const collection = tickMatches[0].slice(1, -1);
-    const field = quoteMatches[0].slice(1, -1);
+    const collection = (_a = tickMatches[0]) === null || _a === void 0 ? void 0 : _a.slice(1, -1);
+    const field = (_b = quoteMatches[0]) === null || _b === void 0 ? void 0 : _b.slice(1, -1);
     return new not_null_violation_1.NotNullViolationException(field, {
         collection,
         field,
     });
 }
 function foreignKeyViolation(error) {
+    var _a, _b, _c;
     const betweenTicks = /`([^`]+)`/g;
     const betweenParens = /\(([^)]+)\)/g;
     const tickMatches = error.sqlMessage.match(betweenTicks);
     const parenMatches = error.sql.match(betweenParens);
     if (!tickMatches || !parenMatches)
         return error;
-    const collection = tickMatches[1].slice(1, -1);
-    const field = tickMatches[3].slice(1, -1);
-    const invalid = parenMatches[1].slice(1, -1);
+    const collection = (_a = tickMatches[1]) === null || _a === void 0 ? void 0 : _a.slice(1, -1);
+    const field = (_b = tickMatches[3]) === null || _b === void 0 ? void 0 : _b.slice(1, -1);
+    const invalid = (_c = parenMatches[1]) === null || _c === void 0 ? void 0 : _c.slice(1, -1);
     return new invalid_foreign_key_1.InvalidForeignKeyException(field, {
         collection,
         field,
@@ -137,12 +142,13 @@ function foreignKeyViolation(error) {
     });
 }
 function containsNullValues(error) {
+    var _a;
     const betweenTicks = /`([^`]+)`/g;
     // Normally, we shouldn't read from the executed SQL. In this case, we're altering a single
     // column, so we shouldn't have the problem where multiple columns are altered at the same time
     const tickMatches = error.sql.match(betweenTicks);
     if (!tickMatches)
         return error;
-    const field = tickMatches[1].slice(1, -1);
+    const field = (_a = tickMatches[1]) === null || _a === void 0 ? void 0 : _a.slice(1, -1);
     return new contains_null_values_1.ContainsNullValuesException(field);
 }

package/dist/extensions.js

@@ -38,8 +38,6 @@ const get_schema_1 = require("./utils/get-schema");
 const services = __importStar(require("./services"));
 const node_cron_1 = require("node-cron");
 const rollup_1 = require("rollup");
-// @TODO Remove this once a new version of @rollup/plugin-virtual has been released
-// @ts-expect-error
 const plugin_virtual_1 = __importDefault(require("@rollup/plugin-virtual"));
 const plugin_alias_1 = __importDefault(require("@rollup/plugin-alias"));
 const url_1 = require("./utils/url");

package/dist/middleware/authenticate.d.ts

@@ -1,6 +1,8 @@
-import { RequestHandler } from 'express';
+/// <reference types="qs" />
+import { NextFunction, Request, Response } from 'express';
 /**
  * Verify the passed JWT and assign the user ID and role to `req`
  */
-declare const authenticate: RequestHandler;
-export default authenticate;
+export declare const handler: (req: Request, res: Response, next: NextFunction) => Promise<void>;
+declare const _default: import("express").RequestHandler<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
+export default _default;

package/dist/middleware/authenticate.js

@@ -1,39 +1,23 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const jsonwebtoken_1 = __importStar(require("jsonwebtoken"));
+exports.handler = void 0;
+const lodash_1 = require("lodash");
 const database_1 = __importDefault(require("../database"));
+const emitter_1 = __importDefault(require("../emitter"));
 const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const get_ip_from_req_1 = require("../utils/get-ip-from-req");
 const is_directus_jwt_1 = __importDefault(require("../utils/is-directus-jwt"));
+const jwt_1 = require("../utils/jwt");
 /**
  * Verify the passed JWT and assign the user ID and role to `req`
  */
-const authenticate = (0, async_handler_1.default)(async (req, res, next) => {
-    req.accountability = {
+const handler = async (req, res, next) => {
+    const defaultAccountability = {
         user: null,
         role: null,
         admin: false,
@@ -42,23 +26,21 @@ const authenticate = (0, async_handler_1.default)(async (req, res, next) => {
         userAgent: req.get('user-agent'),
     };
     const database = (0, database_1.default)();
+    const customAccountability = await emitter_1.default.emitFilter('authenticate', defaultAccountability, {
+        req,
+    }, {
+        database,
+        schema: null,
+        accountability: null,
+    });
+    if (customAccountability && (0, lodash_1.isEqual)(customAccountability, defaultAccountability) === false) {
+        req.accountability = customAccountability;
+        return next();
+    }
+    req.accountability = defaultAccountability;
     if (req.token) {
         if ((0, is_directus_jwt_1.default)(req.token)) {
-            let payload;
-            try {
-                payload = jsonwebtoken_1.default.verify(req.token, env_1.default.SECRET, { issuer: 'directus' });
-            }
-            catch (err) {
-                if (err instanceof jsonwebtoken_1.TokenExpiredError) {
-                    throw new exceptions_1.InvalidCredentialsException('Token expired.');
-                }
-                else if (err instanceof jsonwebtoken_1.JsonWebTokenError) {
-                    throw new exceptions_1.InvalidCredentialsException('Token invalid.');
-                }
-                else {
-                    throw err;
-                }
-            }
+            const payload = (0, jwt_1.verifyAccessJWT)(req.token, env_1.default.SECRET);
             req.accountability.share = payload.share;
             req.accountability.share_scope = payload.share_scope;
             req.accountability.user = payload.id;
@@ -87,5 +69,6 @@ const authenticate = (0, async_handler_1.default)(async (req, res, next) => {
         }
     }
     return next();
-});
-exports.default = authenticate;
+};
+exports.handler = handler;
+exports.default = (0, async_handler_1.default)(exports.handler);

package/dist/middleware/respond.js

@@ -4,16 +4,15 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.respond = void 0;
-const json2csv_1 = require("json2csv");
 const ms_1 = __importDefault(require("ms"));
-const stream_1 = require("stream");
 const cache_1 = require("../cache");
 const env_1 = __importDefault(require("../env"));
 const async_handler_1 = __importDefault(require("../utils/async-handler"));
 const get_cache_key_1 = require("../utils/get-cache-key");
-const js2xmlparser_1 = require("js2xmlparser");
 const get_cache_headers_1 = require("../utils/get-cache-headers");
 const logger_1 = __importDefault(require("../logger"));
+const services_1 = require("../services");
+const get_date_formatted_1 = require("../utils/get-date-formatted");
 exports.respond = (0, async_handler_1.default)(async (req, res) => {
     var _a, _b, _c;
     const { cache } = (0, cache_1.getCache)();
@@ -39,6 +38,7 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         res.setHeader('Vary', 'Origin, Cache-Control');
     }
     if (req.sanitizedQuery.export) {
+        const exportService = new services_1.ExportService({ accountability: req.accountability, schema: req.schema });
         let filename = '';
         if (req.collection) {
             filename += req.collection;
@@ -46,32 +46,21 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         else {
             filename += 'Export';
         }
-        filename += ' ' + getDateFormatted();
+        filename += ' ' + (0, get_date_formatted_1.getDateFormatted)();
         if (req.sanitizedQuery.export === 'json') {
             res.attachment(`${filename}.json`);
             res.set('Content-Type', 'application/json');
-            return res.status(200).send(JSON.stringify(((_a = res.locals.payload) === null || _a === void 0 ? void 0 : _a.data) || null, null, '\t'));
+            return res.status(200).send(exportService.transform((_a = res.locals.payload) === null || _a === void 0 ? void 0 : _a.data, 'json'));
         }
         if (req.sanitizedQuery.export === 'xml') {
             res.attachment(`${filename}.xml`);
             res.set('Content-Type', 'text/xml');
-            return res.status(200).send((0, js2xmlparser_1.parse)('data', (_b = res.locals.payload) === null || _b === void 0 ? void 0 : _b.data));
+            return res.status(200).send(exportService.transform((_b = res.locals.payload) === null || _b === void 0 ? void 0 : _b.data, 'xml'));
         }
         if (req.sanitizedQuery.export === 'csv') {
             res.attachment(`${filename}.csv`);
             res.set('Content-Type', 'text/csv');
-            const stream = new stream_1.PassThrough();
-            if (!((_c = res.locals.payload) === null || _c === void 0 ? void 0 : _c.data) || res.locals.payload.data.length === 0) {
-                stream.end(Buffer.from(''));
-                return stream.pipe(res);
-            }
-            else {
-                stream.end(Buffer.from(JSON.stringify(res.locals.payload.data), 'utf-8'));
-                const json2csv = new json2csv_1.Transform({
-                    transforms: [json2csv_1.transforms.flatten({ separator: '.' })],
-                });
-                return stream.pipe(json2csv).pipe(res);
-            }
+            return res.status(200).send(exportService.transform((_c = res.locals.payload) === null || _c === void 0 ? void 0 : _c.data, 'csv'));
         }
     }
     if (Buffer.isBuffer(res.locals.payload)) {
@@ -84,13 +73,3 @@ exports.respond = (0, async_handler_1.default)(async (req, res) => {
         return res.status(204).end();
     }
 });
-function getDateFormatted() {
-    const date = new Date();
-    let month = String(date.getMonth() + 1);
-    if (month.length === 1)
-        month = '0' + month;
-    let day = String(date.getDate());
-    if (day.length === 1)
-        day = '0' + day;
-    return `${date.getFullYear()}-${month}-${day} at ${date.getHours()}.${date.getMinutes()}.${date.getSeconds()}`;
-}

package/dist/server.js

@@ -36,8 +36,10 @@ const logger_1 = __importDefault(require("./logger"));
 const emitter_1 = __importDefault(require("./emitter"));
 const update_check_1 = __importDefault(require("update-check"));
 const package_json_1 = __importDefault(require("../package.json"));
+const get_config_from_env_1 = require("./utils/get-config-from-env");
 async function createServer() {
     const server = http.createServer(await (0, app_1.default)());
+    Object.assign(server, (0, get_config_from_env_1.getConfigFromEnv)('SERVER_'));
     server.on('request', function (req, res) {
         const startTime = process.hrtime();
         const complete = (0, lodash_1.once)(function (finished) {
@@ -124,9 +126,10 @@ async function createServer() {
 exports.createServer = createServer;
 async function startServer() {
     const server = await createServer();
+    const host = env_1.default.HOST;
     const port = env_1.default.PORT;
     server
-        .listen(port, () => {
+        .listen(port, host, () => {
         (0, update_check_1.default)(package_json_1.default)
             .then((update) => {
             if (update) {
@@ -136,7 +139,7 @@ async function startServer() {
             .catch(() => {
             // No need to log/warn here. The update message is only an informative nice-to-have
         });
-        logger_1.default.info(`Server started at http://localhost:${port}`);
+        logger_1.default.info(`Server started at http://${host}:${port}`);
         emitter_1.default.emitAction('server.start', { server }, {
             database: (0, database_1.default)(),
             schema: null,

package/dist/services/authorization.js

@@ -11,6 +11,7 @@ const exceptions_2 = require("@directus/shared/exceptions");
 const utils_1 = require("@directus/shared/utils");
 const items_1 = require("./items");
 const payload_1 = require("./payload");
+const strip_function_1 = require("../utils/strip-function");
 class AuthorizationService {
     constructor(options) {
         this.knex = options.knex || (0, database_1.default)();
@@ -34,6 +35,7 @@ class AuthorizationService {
             throw new exceptions_1.ForbiddenException();
         }
         validateFields(ast);
+        validateFilterPermissions(ast, this.schema, this.accountability);
         applyFilters(ast, this.accountability);
         return ast;
         /**
@@ -97,13 +99,70 @@ class AuthorizationService {
                     }
                     if (allowedFields.includes('*'))
                         continue;
-                    const fieldKey = childNode.name;
+                    const fieldKey = (0, strip_function_1.stripFunction)(childNode.name);
                     if (allowedFields.includes(fieldKey) === false) {
                         throw new exceptions_1.ForbiddenException();
                     }
                 }
             }
         }
+        function validateFilterPermissions(ast, schema, accountability) {
+            var _a, _b, _c, _d, _e;
+            if (ast.type !== 'field') {
+                if (ast.type === 'a2o') {
+                    for (const collection of Object.keys(ast.children)) {
+                        checkFilter(collection, (_c = (_b = (_a = ast.query) === null || _a === void 0 ? void 0 : _a[collection]) === null || _b === void 0 ? void 0 : _b.filter) !== null && _c !== void 0 ? _c : {});
+                        for (const child of ast.children[collection]) {
+                            validateFilterPermissions(child, schema, accountability);
+                        }
+                    }
+                }
+                else {
+                    checkFilter(ast.name, (_e = (_d = ast.query) === null || _d === void 0 ? void 0 : _d.filter) !== null && _e !== void 0 ? _e : {});
+                    for (const child of ast.children) {
+                        validateFilterPermissions(child, schema, accountability);
+                    }
+                }
+            }
+            function checkFilter(collection, filter) {
+                var _a;
+                const permissions = (_a = accountability === null || accountability === void 0 ? void 0 : accountability.permissions) === null || _a === void 0 ? void 0 : _a.find((permission) => permission.collection === collection);
+                if (!permissions)
+                    throw new exceptions_1.ForbiddenException();
+                const allowedFields = permissions.fields || [];
+                for (const [key, value] of Object.entries(filter)) {
+                    if (key.startsWith('_')) {
+                        // Continue checking for _and and _or
+                        if ((0, lodash_1.isArray)(value)) {
+                            for (const val of value) {
+                                checkFilter(collection, val);
+                            }
+                        }
+                    }
+                    else {
+                        if (allowedFields.length !== 0 &&
+                            allowedFields.includes('*') === false &&
+                            allowedFields.includes(key) === false) {
+                            throw new exceptions_1.ForbiddenException();
+                        }
+                        const relation = schema.relations.find((relation) => {
+                            var _a;
+                            return ((relation.collection === collection && relation.field === key) ||
+                                (relation.related_collection === collection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === key));
+                        });
+                        // Field is a relation
+                        if (relation) {
+                            if (relation.related_collection === collection) {
+                                checkFilter(relation.collection, value);
+                            }
+                            else {
+                                checkFilter(relation.related_collection, value);
+                            }
+                        }
+                    }
+                }
+            }
+        }
         function applyFilters(ast, accountability) {
             if (ast.type !== 'field') {
                 if (ast.type === 'a2o') {

package/dist/services/collections.js

@@ -129,7 +129,7 @@ class CollectionsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         return payload.collection;
     }
     /**
@@ -152,7 +152,7 @@ class CollectionsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         return collections;
     }
     /**
@@ -275,7 +275,7 @@ class CollectionsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         return collectionKey;
     }
     /**
@@ -298,7 +298,7 @@ class CollectionsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         return collectionKeys;
     }
     /**
@@ -379,7 +379,7 @@ class CollectionsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         return collectionKey;
     }
     /**
@@ -402,7 +402,7 @@ class CollectionsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE && (opts === null || opts === void 0 ? void 0 : opts.autoPurgeCache) !== false) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         return collectionKeys;
     }
 }

package/dist/services/fields.js

@@ -249,7 +249,7 @@ class FieldsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
     }
     async updateField(collection, field) {
         if (this.accountability && this.accountability.admin !== true) {
@@ -300,7 +300,7 @@ class FieldsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         emitter_1.default.emitAction(`fields.update`, {
             payload: hookAdjustedField,
             keys: [hookAdjustedField.field],
@@ -395,7 +395,7 @@ class FieldsService {
         if (this.cache && env_1.default.CACHE_AUTO_PURGE) {
             await this.cache.clear();
         }
-        await this.systemCache.clear();
+        await (0, cache_1.clearSystemCache)();
         emitter_1.default.emitAction('fields.delete', {
             payload: [field],
             collection: collection,

package/dist/services/files.js

@@ -1,4 +1,23 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -11,7 +30,9 @@ const lodash_1 = require("lodash");
 const mime_types_1 = require("mime-types");
 const path_1 = __importDefault(require("path"));
 const sharp_1 = __importDefault(require("sharp"));
-const url_1 = __importDefault(require("url"));
+const url_1 = __importStar(require("url"));
+const util_1 = require("util");
+const dns_1 = require("dns");
 const emitter_1 = __importDefault(require("../emitter"));
 const env_1 = __importDefault(require("../env"));
 const exceptions_1 = require("../exceptions");
@@ -19,6 +40,9 @@ const logger_1 = __importDefault(require("../logger"));
 const storage_1 = __importDefault(require("../storage"));
 const utils_1 = require("@directus/shared/utils");
 const items_1 = require("./items");
+const net_1 = __importDefault(require("net"));
+const os_1 = __importDefault(require("os"));
+const lookupDNS = (0, util_1.promisify)(dns_1.lookup);
 class FilesService extends items_1.ItemsService {
     constructor(options) {
         super('directus_files', options);
@@ -137,6 +161,49 @@ class FilesService extends items_1.ItemsService {
         if (this.accountability && ((_c = this.accountability) === null || _c === void 0 ? void 0 : _c.admin) !== true && !fileCreatePermissions) {
             throw new exceptions_1.ForbiddenException();
         }
+        let resolvedUrl;
+        try {
+            resolvedUrl = new url_1.URL(importURL);
+        }
+        catch (err) {
+            logger_1.default.warn(err, `Requested URL ${importURL} isn't a valid URL`);
+            throw new exceptions_1.ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
+                service: 'external-file',
+            });
+        }
+        let ip = resolvedUrl.hostname;
+        if (net_1.default.isIP(ip) === 0) {
+            try {
+                ip = (await lookupDNS(ip)).address;
+            }
+            catch (err) {
+                logger_1.default.warn(err, `Couldn't lookup the DNS for url ${importURL}`);
+                throw new exceptions_1.ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
+                    service: 'external-file',
+                });
+            }
+        }
+        if (env_1.default.IMPORT_IP_DENY_LIST.includes('0.0.0.0')) {
+            const networkInterfaces = os_1.default.networkInterfaces();
+            for (const networkInfo of Object.values(networkInterfaces)) {
+                if (!networkInfo)
+                    continue;
+                for (const info of networkInfo) {
+                    if (info.address === ip) {
+                        logger_1.default.warn(`Requested URL ${importURL} resolves to localhost.`);
+                        throw new exceptions_1.ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
+                            service: 'external-file',
+                        });
+                    }
+                }
+            }
+        }
+        if (env_1.default.IMPORT_IP_DENY_LIST.includes(ip)) {
+            logger_1.default.warn(`Requested URL ${importURL} resolves to a denied IP address.`);
+            throw new exceptions_1.ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
+                service: 'external-file',
+            });
+        }
         let fileResponse;
         try {
             fileResponse = await axios_1.default.get(importURL, {
@@ -144,8 +211,7 @@ class FilesService extends items_1.ItemsService {
             });
         }
         catch (err) {
-            logger_1.default.warn(`Couldn't fetch file from url "${importURL}"`);
-            logger_1.default.warn(err);
+            logger_1.default.warn(err, `Couldn't fetch file from url "${importURL}"`);
             throw new exceptions_1.ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
                 service: 'external-file',
             });

package/dist/services/graphql.js

@@ -1732,9 +1732,9 @@ class GraphQLService {
                     if (((_a = this.accountability) === null || _a === void 0 ? void 0 : _a.admin) !== true) {
                         throw new exceptions_1.ForbiddenException();
                     }
-                    const { cache, systemCache } = (0, cache_1.getCache)();
+                    const { cache } = (0, cache_1.getCache)();
                     await (cache === null || cache === void 0 ? void 0 : cache.clear());
-                    await systemCache.clear();
+                    await (0, cache_1.clearSystemCache)();
                     return;
                 },
             },