directus 9.9.0 → 9.11.0

package/dist/utils/get-column-path.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getColumnPath = void 0;
+const get_relation_info_1 = require("./get-relation-info");
+const exceptions_1 = require("../exceptions");
+const lodash_1 = require("lodash");
+/**
+ * Converts a Directus field list path to the correct SQL names based on the constructed alias map.
+ * For example: ['author', 'role', 'name'] -> 'ljnsv.name'
+ */
+function getColumnPath({ path, collection, aliasMap, relations }) {
+    return followRelation(path);
+    function followRelation(pathParts, parentCollection = collection, parentAlias) {
+        /**
+         * For A2M fields, the path can contain an optional collection scope <field>:<scope>
+         */
+        const pathRoot = pathParts[0].split(':')[0];
+        const { relation, relationType } = (0, get_relation_info_1.getRelationInfo)(relations, parentCollection, pathRoot);
+        if (!relation) {
+            throw new exceptions_1.InvalidQueryException(`"${parentCollection}.${pathRoot}" is not a relational field`);
+        }
+        const alias = (0, lodash_1.get)(aliasMap, parentAlias ? [parentAlias, ...pathParts] : pathParts);
+        const remainingParts = pathParts.slice(1);
+        let parent;
+        if (relationType === 'a2o') {
+            const pathScope = pathParts[0].split(':')[1];
+            if (!pathScope) {
+                throw new exceptions_1.InvalidQueryException(`You have to provide a collection scope when sorting on a many-to-any item`);
+            }
+            parent = pathScope;
+        }
+        else if (relationType === 'm2o') {
+            parent = relation.related_collection;
+        }
+        else {
+            parent = relation.collection;
+        }
+        if (remainingParts.length === 1) {
+            return `${alias || parent}.${remainingParts[0]}`;
+        }
+        if (remainingParts.length) {
+            return followRelation(remainingParts, parent, alias);
+        }
+    }
+}
+exports.getColumnPath = getColumnPath;

package/dist/utils/get-default-value.js

@@ -3,9 +3,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-const get_local_type_1 = __importDefault(require("./get-local-type"));
-const logger_1 = __importDefault(require("../logger"));
 const env_1 = __importDefault(require("../env"));
+const logger_1 = __importDefault(require("../logger"));
+const get_local_type_1 = __importDefault(require("./get-local-type"));
+const parse_json_1 = require("./parse-json");
 function getDefaultValue(column) {
     var _a;
     const type = (0, get_local_type_1.default)(column);
@@ -59,7 +60,7 @@ function castToObject(value) {
         return value;
     if (typeof value === 'string') {
         try {
-            return JSON.parse(value);
+            return (0, parse_json_1.parseJSON)(value);
         }
         catch (err) {
             if (env_1.default.NODE_ENV === 'development') {

package/dist/utils/get-permissions.d.ts

@@ -1,2 +1,2 @@
-import { Permission, Accountability, SchemaOverview } from '@directus/shared/types';
+import { Accountability, Permission, SchemaOverview } from '@directus/shared/types';
 export declare function getPermissions(accountability: Accountability, schema: SchemaOverview): Promise<Permission[]>;

package/dist/utils/get-permissions.js

@@ -6,15 +6,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getPermissions = void 0;
 const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
+const object_hash_1 = __importDefault(require("object-hash"));
+const cache_1 = require("../cache");
 const database_1 = __importDefault(require("../database"));
 const app_access_permissions_1 = require("../database/system-data/app-access-permissions");
+const env_1 = __importDefault(require("../env"));
+const roles_1 = require("../services/roles");
+const users_1 = require("../services/users");
 const merge_permissions_1 = require("../utils/merge-permissions");
 const merge_permissions_for_share_1 = require("./merge-permissions-for-share");
-const users_1 = require("../services/users");
-const roles_1 = require("../services/roles");
-const cache_1 = require("../cache");
-const object_hash_1 = __importDefault(require("object-hash"));
-const env_1 = __importDefault(require("../env"));
+const parse_json_1 = require("./parse-json");
 async function getPermissions(accountability, schema) {
     const database = (0, database_1.default)();
     const { systemCache, cache } = (0, cache_1.getCache)();
@@ -84,19 +85,19 @@ function parsePermissions(permissions) {
     permissions = permissions.map((permissionRaw) => {
         const permission = (0, lodash_1.cloneDeep)(permissionRaw);
         if (permission.permissions && typeof permission.permissions === 'string') {
-            permission.permissions = JSON.parse(permission.permissions);
+            permission.permissions = (0, parse_json_1.parseJSON)(permission.permissions);
         }
         else if (permission.permissions === null) {
             permission.permissions = {};
         }
         if (permission.validation && typeof permission.validation === 'string') {
-            permission.validation = JSON.parse(permission.validation);
+            permission.validation = (0, parse_json_1.parseJSON)(permission.validation);
         }
         else if (permission.validation === null) {
             permission.validation = {};
         }
         if (permission.presets && typeof permission.presets === 'string') {
-            permission.presets = JSON.parse(permission.presets);
+            permission.presets = (0, parse_json_1.parseJSON)(permission.presets);
         }
         else if (permission.presets === null) {
             permission.presets = {};

package/dist/utils/get-relation-info.d.ts

@@ -0,0 +1,7 @@
+import { Relation } from '@directus/shared/types';
+declare type RelationInfo = {
+    relation: Relation | null;
+    relationType: string | null;
+};
+export declare function getRelationInfo(relations: Relation[], collection: string, field: string): RelationInfo;
+export {};

package/dist/utils/get-relation-info.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRelationInfo = void 0;
+const get_relation_type_1 = require("./get-relation-type");
+function getRelationInfo(relations, collection, field) {
+    var _a, _b;
+    if (field.startsWith('$FOLLOW') && field.length > 500) {
+        throw new Error(`Implicit $FOLLOW statement is too big to parse. Got: "${field.substring(500)}..."`);
+    }
+    const implicitRelation = (_a = field.match(/^\$FOLLOW\((.*?),(.*?)(?:,(.*?))?\)$/)) === null || _a === void 0 ? void 0 : _a.slice(1);
+    if (implicitRelation) {
+        if (implicitRelation[2] === undefined) {
+            const [m2oCollection, m2oField] = implicitRelation;
+            const relation = {
+                collection: m2oCollection.trim(),
+                field: m2oField.trim(),
+                related_collection: collection,
+                schema: null,
+                meta: null,
+            };
+            return { relation, relationType: 'o2m' };
+        }
+        else {
+            const [a2oCollection, a2oItemField, a2oCollectionField] = implicitRelation;
+            const relation = {
+                collection: a2oCollection.trim(),
+                field: a2oItemField.trim(),
+                related_collection: collection,
+                schema: null,
+                meta: {
+                    one_collection_field: a2oCollectionField.trim(),
+                },
+            };
+            return { relation, relationType: 'o2a' };
+        }
+    }
+    const relation = (_b = relations.find((relation) => {
+        var _a;
+        return ((relation.collection === collection && relation.field === field) ||
+            (relation.related_collection === collection && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === field));
+    })) !== null && _b !== void 0 ? _b : null;
+    const relationType = relation ? (0, get_relation_type_1.getRelationType)({ relation, collection, field }) : null;
+    return { relation, relationType };
+}
+exports.getRelationInfo = getRelationInfo;

package/dist/utils/get-relation-type.d.ts

@@ -1,6 +1,6 @@
 import { Relation } from '@directus/shared/types';
 export declare function getRelationType(getRelationOptions: {
-    relation: Relation;
+    relation?: Relation | null;
     collection: string | null;
     field: string;
 }): 'm2o' | 'o2m' | 'a2o' | null;

package/dist/utils/get-schema.js

@@ -8,6 +8,7 @@ const schema_1 = __importDefault(require("@directus/schema"));
 const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
 const cache_1 = require("../cache");
+const constants_1 = require("../constants");
 const database_1 = __importDefault(require("../database"));
 const collections_1 = require("../database/system-data/collections");
 const fields_1 = require("../database/system-data/fields");
@@ -16,6 +17,7 @@ const logger_1 = __importDefault(require("../logger"));
 const services_1 = require("../services");
 const get_default_value_1 = __importDefault(require("./get-default-value"));
 const get_local_type_1 = __importDefault(require("./get-local-type"));
+const parse_json_1 = require("./parse-json");
 async function getSchema(options) {
     const database = (options === null || options === void 0 ? void 0 : options.database) || (0, database_1.default)();
     const schemaInspector = (0, schema_1.default)(database);
@@ -113,10 +115,12 @@ async function getDatabaseSchema(database, schemaInspector) {
         const existing = result.collections[field.collection].fields[field.field];
         const column = schemaOverview[field.collection].columns[field.field];
         const special = field.special ? (0, utils_1.toArray)(field.special) : [];
+        if (constants_1.ALIAS_TYPES.some((type) => special.includes(type)) === false && !existing)
+            continue;
         const type = (existing && (0, get_local_type_1.default)(column, { special })) || 'alias';
         let validation = (_a = field.validation) !== null && _a !== void 0 ? _a : null;
         if (validation && typeof validation === 'string')
-            validation = JSON.parse(validation);
+            validation = (0, parse_json_1.parseJSON)(validation);
         result.collections[field.collection].fields[field.field] = {
             field: field.field,
             defaultValue: (_b = existing === null || existing === void 0 ? void 0 : existing.defaultValue) !== null && _b !== void 0 ? _b : null,

package/dist/utils/get-snapshot.js

@@ -16,17 +16,23 @@ async function getSnapshot(options) {
     const collectionsService = new services_1.CollectionsService({ knex: database, schema });
     const fieldsService = new services_1.FieldsService({ knex: database, schema });
     const relationsService = new services_1.RelationsService({ knex: database, schema });
-    const [collections, fields, relations] = await Promise.all([
+    const [collectionsRaw, fieldsRaw, relationsRaw] = await Promise.all([
         collectionsService.readByQuery(),
         fieldsService.readAll(),
         relationsService.readAll(),
     ]);
+    const collectionsFiltered = collectionsRaw.filter((item) => excludeSystem(item));
+    const fieldsFiltered = fieldsRaw.filter((item) => excludeSystem(item)).map(omitID);
+    const relationsFiltered = relationsRaw.filter((item) => excludeSystem(item)).map(omitID);
+    const collectionsSorted = (0, lodash_1.sortBy)((0, lodash_1.mapValues)(collectionsFiltered, sortDeep), ['collection']);
+    const fieldsSorted = (0, lodash_1.sortBy)((0, lodash_1.mapValues)(fieldsFiltered, sortDeep), ['collection', 'field']);
+    const relationsSorted = (0, lodash_1.sortBy)((0, lodash_1.mapValues)(relationsFiltered, sortDeep), ['collection', 'field']);
     return {
         version: 1,
         directus: package_json_1.version,
-        collections: collections.filter((item) => excludeSystem(item)),
-        fields: fields.filter((item) => excludeSystem(item)).map(omitID),
-        relations: relations.filter((item) => excludeSystem(item)).map(omitID),
+        collections: collectionsSorted,
+        fields: fieldsSorted,
+        relations: relationsSorted,
     };
 }
 exports.getSnapshot = getSnapshot;
@@ -39,3 +45,15 @@ function excludeSystem(item) {
 function omitID(item) {
     return (0, lodash_1.omit)(item, 'meta.id');
 }
+function sortDeep(raw) {
+    if ((0, lodash_1.isPlainObject)(raw)) {
+        const mapped = (0, lodash_1.mapValues)(raw, sortDeep);
+        const pairs = (0, lodash_1.toPairs)(mapped);
+        const sorted = (0, lodash_1.sortBy)(pairs);
+        return (0, lodash_1.fromPairs)(sorted);
+    }
+    if ((0, lodash_1.isArray)(raw)) {
+        return (0, lodash_1.sortBy)(raw);
+    }
+    return raw;
+}

package/dist/utils/merge-permissions-for-share.js

@@ -48,7 +48,7 @@ function mergePermissionsForShare(currentPermissions, accountability, schema) {
         }
     }
     // Explicitly filter out permissions to collections unrelated to the root parent item.
-    const limitedPermissions = currentPermissions.filter(({ collection }) => allowedCollections.includes(collection));
+    const limitedPermissions = currentPermissions.filter(({ action, collection }) => allowedCollections.includes(collection) && action === 'read');
     return (0, merge_permissions_1.mergePermissions)('and', limitedPermissions, generatedPermissions);
 }
 exports.mergePermissionsForShare = mergePermissionsForShare;

package/dist/utils/parse-json.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Run JSON.parse, but ignore `__proto__` properties. This prevents prototype pollution attacks
+ */
+export declare function parseJSON(input: string): any;
+export declare function noproto<T>(key: string, value: T): T | void;

package/dist/utils/parse-json.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.noproto = exports.parseJSON = void 0;
+/**
+ * Run JSON.parse, but ignore `__proto__` properties. This prevents prototype pollution attacks
+ */
+function parseJSON(input) {
+    if (String(input).includes('__proto__')) {
+        return JSON.parse(input, noproto);
+    }
+    return JSON.parse(input);
+}
+exports.parseJSON = parseJSON;
+function noproto(key, value) {
+    if (key !== '__proto__') {
+        return value;
+    }
+}
+exports.noproto = noproto;

package/dist/utils/reduce-schema.js

@@ -25,19 +25,26 @@ function reduceSchema(schema, permissions, actions = ['create', 'read', 'update'
         return acc;
     }, {})) !== null && _a !== void 0 ? _a : {};
     for (const [collectionName, collection] of Object.entries(schema.collections)) {
-        if (permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === collectionName && actions.includes(permission.action))) {
-            const fields = {};
-            for (const [fieldName, field] of Object.entries(schema.collections[collectionName].fields)) {
-                if (((_b = allowedFieldsInCollection[collectionName]) === null || _b === void 0 ? void 0 : _b.includes('*')) ||
-                    ((_c = allowedFieldsInCollection[collectionName]) === null || _c === void 0 ? void 0 : _c.includes(fieldName))) {
-                    fields[fieldName] = field;
-                }
+        if (!(permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === collectionName && actions.includes(permission.action)))) {
+            continue;
+        }
+        const fields = {};
+        for (const [fieldName, field] of Object.entries(schema.collections[collectionName].fields)) {
+            if (!((_b = allowedFieldsInCollection[collectionName]) === null || _b === void 0 ? void 0 : _b.includes('*')) &&
+                !((_c = allowedFieldsInCollection[collectionName]) === null || _c === void 0 ? void 0 : _c.includes(fieldName))) {
+                continue;
+            }
+            const o2mRelation = schema.relations.find((relation) => { var _a; return relation.related_collection === collectionName && ((_a = relation.meta) === null || _a === void 0 ? void 0 : _a.one_field) === fieldName; });
+            if (o2mRelation &&
+                !(permissions === null || permissions === void 0 ? void 0 : permissions.some((permission) => permission.collection === o2mRelation.collection && actions.includes(permission.action)))) {
+                continue;
             }
-            reduced.collections[collectionName] = {
-                ...collection,
-                fields,
-            };
+            fields[fieldName] = field;
         }
+        reduced.collections[collectionName] = {
+            ...collection,
+            fields,
+        };
     }
     reduced.relations = schema.relations.filter((relation) => {
         var _a, _b, _c;

package/dist/utils/sanitize-query.d.ts

@@ -1,3 +1,2 @@
-import { Query } from '@directus/shared/types';
-import { Accountability } from '@directus/shared/types';
+import { Accountability, Query } from '@directus/shared/types';
 export declare function sanitizeQuery(rawQuery: Record<string, any>, accountability?: Accountability | null): Query;

package/dist/utils/sanitize-query.js

@@ -4,10 +4,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.sanitizeQuery = void 0;
+const utils_1 = require("@directus/shared/utils");
 const lodash_1 = require("lodash");
 const logger_1 = __importDefault(require("../logger"));
 const types_1 = require("../types");
-const utils_1 = require("@directus/shared/utils");
+const parse_json_1 = require("./parse-json");
 function sanitizeQuery(rawQuery, accountability) {
     const query = {};
     if (rawQuery.limit !== undefined) {
@@ -82,7 +83,7 @@ function sanitizeAggregate(rawAggregate) {
     let aggregate = rawAggregate;
     if (typeof rawAggregate === 'string') {
         try {
-            aggregate = JSON.parse(rawAggregate);
+            aggregate = (0, parse_json_1.parseJSON)(rawAggregate);
         }
         catch {
             logger_1.default.warn('Invalid value passed for filter query parameter.');
@@ -100,7 +101,7 @@ function sanitizeFilter(rawFilter, accountability) {
     let filters = rawFilter;
     if (typeof rawFilter === 'string') {
         try {
-            filters = JSON.parse(rawFilter);
+            filters = (0, parse_json_1.parseJSON)(rawFilter);
         }
         catch {
             logger_1.default.warn('Invalid value passed for filter query parameter.');
@@ -135,7 +136,7 @@ function sanitizeDeep(deep, accountability) {
     const result = {};
     if (typeof deep === 'string') {
         try {
-            deep = JSON.parse(deep);
+            deep = (0, parse_json_1.parseJSON)(deep);
         }
         catch {
             logger_1.default.warn('Invalid value passed for deep query parameter.');
@@ -169,7 +170,7 @@ function sanitizeAlias(rawAlias) {
     let alias = rawAlias;
     if (typeof rawAlias === 'string') {
         try {
-            alias = JSON.parse(rawAlias);
+            alias = (0, parse_json_1.parseJSON)(rawAlias);
         }
         catch (err) {
             logger_1.default.warn('Invalid value passed for alias query parameter.');

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "directus",
-	"version": "9.9.0",
+	"version": "9.11.0",
 	"license": "GPL-3.0-only",
 	"homepage": "https://github.com/directus/directus#readme",
 	"description": "Directus is a real-time API and App dashboard for managing SQL database content.",
@@ -78,16 +78,16 @@
 	],
 	"dependencies": {
 		"@aws-sdk/client-ses": "^3.40.0",
-		"@directus/app": "9.9.0",
-		"@directus/drive": "9.9.0",
-		"@directus/drive-azure": "9.9.0",
-		"@directus/drive-gcs": "9.9.0",
-		"@directus/drive-s3": "9.9.0",
-		"@directus/extensions-sdk": "9.9.0",
-		"@directus/format-title": "9.9.0",
-		"@directus/schema": "9.9.0",
-		"@directus/shared": "9.9.0",
-		"@directus/specs": "9.9.0",
+		"@directus/app": "9.11.0",
+		"@directus/drive": "9.11.0",
+		"@directus/drive-azure": "9.11.0",
+		"@directus/drive-gcs": "9.11.0",
+		"@directus/drive-s3": "9.11.0",
+		"@directus/extensions-sdk": "9.11.0",
+		"@directus/format-title": "9.11.0",
+		"@directus/schema": "9.11.0",
+		"@directus/shared": "9.11.0",
+		"@directus/specs": "9.11.0",
 		"@godaddy/terminus": "^4.9.0",
 		"@rollup/plugin-alias": "^3.1.9",
 		"@rollup/plugin-virtual": "^2.0.3",
@@ -124,7 +124,7 @@
 		"json2csv": "^5.0.3",
 		"jsonwebtoken": "^8.5.1",
 		"keyv": "^4.0.3",
-		"knex": "^0.95.14",
+		"knex": "^2.0.0",
 		"knex-schema-inspector": "1.7.3",
 		"ldapjs": "^2.3.1",
 		"liquidjs": "^9.25.0",
@@ -152,6 +152,7 @@
 		"sanitize-html": "^2.6.0",
 		"sharp": "^0.30.3",
 		"stream-json": "^1.7.1",
+		"strip-bom-stream": "^4.0.0",
 		"supertest": "^6.1.6",
 		"tmp-promise": "^3.0.3",
 		"update-check": "^1.5.4",
@@ -161,19 +162,16 @@
 	},
 	"optionalDependencies": {
 		"@keyv/redis": "^2.1.2",
-		"connect-memcached": "^1.0.0",
-		"connect-redis": "^6.0.0",
-		"connect-session-knex": "^2.1.0",
 		"ioredis": "^4.27.6",
 		"keyv-memcache": "^1.2.5",
 		"memcached": "^2.2.2",
 		"mysql": "^2.18.1",
 		"nodemailer-mailgun-transport": "^2.1.3",
 		"pg": "^8.6.0",
-		"sqlite3": "^5.0.2",
+		"sqlite3": "^5.0.6",
 		"tedious": "^13.0.0"
 	},
-	"gitHead": "fb252ca4cef57de1aa8d1914db6bc85730902e81",
+	"gitHead": "f52da51925296b6e615ae2f048727a391d3a2122",
 	"devDependencies": {
 		"@types/async": "3.2.10",
 		"@types/body-parser": "1.19.2",
@@ -216,7 +214,7 @@
 		"cross-env": "7.0.3",
 		"form-data": "^4.0.0",
 		"jest": "27.5.1",
-		"knex-mock-client": "1.6.1",
+		"knex-mock-client": "1.7.0",
 		"ts-jest": "27.1.3",
 		"ts-node-dev": "1.1.8",
 		"typescript": "4.5.2"