Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add validation on data.method when using transport.request #801

Merged
merged 4 commits into from
Jul 5, 2023
Merged

fix: add validation on data.method when using transport.request #801

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ca3a5da
fix: add validation on data.method when using tranport.request
SuZhou-Joe Jun 30, 2023
3a3457b
feat: add validation on endpoint
SuZhou-Joe Jun 30, 2023
28dbcd2
feat: add unit test
SuZhou-Joe Jul 3, 2023
a8e2df0
feat: add more protect
SuZhou-Joe Jul 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions server/services/CommonService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import {
} from "../../../../src/core/server";
import { IAPICaller } from "../../models/interfaces";

const VALID_METHODS = ["HEAD", "GET", "POST", "PUT", "DELETE"];

Hailong-am marked this conversation as resolved.
Show resolved Hide resolved
export interface ICommonCaller {
<T>(arg: any): T;
}
Expand All @@ -36,12 +38,42 @@ export default class IndexService {
try {
const { callAsCurrentUser: callWithRequest } = this.osDriver.asScoped(request);
const finalData = data;

/**
* The endpoint must not be an empty string, reference from proxy caller
*/
if (!endpoint) {
return response.custom({
statusCode: 200,
body: {
ok: false,
error: `Expected non-empty string on endpoint`,
},
});
}

/**
* Update path parameter to follow RFC/generic HTTP convention
*/
if (endpoint === "transport.request" && typeof finalData?.path === "string" && !/^\//.test(finalData?.path || "")) {
finalData.path = `/${finalData.path || ""}`;
}

/**
* Check valid method here
*/
if (endpoint === "transport.request" && data?.method) {
if (VALID_METHODS.indexOf(data.method?.toUpperCase()) === -1) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

? after data.method can be removed because it's checked for null in 65

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good point and modify that to catch toUpperCase in case data.method is not a string.

return response.custom({
statusCode: 200,
body: {
ok: false,
error: `Method must be one of, case insensitive ['HEAD', 'GET', 'POST', 'PUT', 'DELETE']. Received '${data.method}'.`,
},
});
}
}

const payload = useQuery ? JSON.parse(finalData || "{}") : finalData;
const commonCallerResponse = await callWithRequest(endpoint, payload || {});
return response.custom({
Expand Down
Loading