From d0cff8842d578367b215d195e408db052b8393b5 Mon Sep 17 00:00:00 2001 From: Konstantinos Feretos Date: Fri, 20 Jan 2023 16:11:18 +0200 Subject: [PATCH] fix(hermes): numeric param parsing, REST middleware running before param validation (#491) --- libraries/hermes/src/GraphQl/GraphQL.ts | 4 ++-- libraries/hermes/src/Rest/Rest.ts | 20 +++++++++++--------- libraries/hermes/src/Rest/util.ts | 16 ++++++---------- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/libraries/hermes/src/GraphQl/GraphQL.ts b/libraries/hermes/src/GraphQl/GraphQL.ts index f4c588df3..070826e2d 100644 --- a/libraries/hermes/src/GraphQl/GraphQL.ts +++ b/libraries/hermes/src/GraphQl/GraphQL.ts @@ -288,8 +288,8 @@ export class GraphQLController extends ConduitRouter { }, parseLiteral(ast) { if (ast.kind === Kind.INT || ast.kind === Kind.FLOAT) { - return ast.value; - } else if (ast.kind == Kind.STRING) { + return Number(ast.value); + } else if (ast.kind === Kind.STRING) { if (Number.isInteger(ast.value)) { return Number.parseInt(ast.value); } else if (!Number.isNaN(ast.value)) { diff --git a/libraries/hermes/src/Rest/Rest.ts b/libraries/hermes/src/Rest/Rest.ts index 66b5e67f8..7ed90cc0a 100644 --- a/libraries/hermes/src/Rest/Rest.ts +++ b/libraries/hermes/src/Rest/Rest.ts @@ -144,22 +144,24 @@ export class RestController extends ConduitRouter { constructHandler(route: ConduitRoute): (req: Request, res: Response) => void { const self = this; return (req, res) => { - const context = extractRequestData(req); + const context = { ...extractRequestData(req), params: {} }; let hashKey: string; const { caching, cacheAge, scope } = extractCaching( route, req.headers['cache-control'], ); + if (route.input.bodyParams) + validateParams(context.bodyParams, route.input.bodyParams); + if (route.input.queryParams) + validateParams(context.queryParams, route.input.queryParams); + if (route.input.urlParams) validateParams(context.urlParams, route.input.urlParams); + context.params = { + ...context.bodyParams, + ...context.queryParams, + ...context.urlParams, + }; self .checkMiddlewares(context, route.input.middlewares) - .then(r => { - validateParams(context.params, { - ...route.input.bodyParams, - ...route.input.queryParams, - ...route.input.urlParams, - }); - return r; - }) .then(r => { Object.assign(context.context, r); if (route.input.action !== ConduitRouteActions.GET) { diff --git a/libraries/hermes/src/Rest/util.ts b/libraries/hermes/src/Rest/util.ts index 911f61fa7..fa52cb393 100644 --- a/libraries/hermes/src/Rest/util.ts +++ b/libraries/hermes/src/Rest/util.ts @@ -6,7 +6,6 @@ type ConduitRequest = Request & { conduit?: Indexable }; export function extractRequestData(req: ConduitRequest) { const context = req.conduit || {}; - const params: any = {}; const urlParams: any = {}; const queryParams: any = {}; const bodyParams: any = {}; @@ -25,29 +24,26 @@ export function extractRequestData(req: ConduitRequest) { newObj[k] = req.query[k]; } }); - Object.assign(params, newObj); Object.assign(queryParams, newObj); } if (req.body) { - Object.assign(params, req.body); Object.assign(bodyParams, req.body); } if (req.params) { - Object.assign(params, req.params); Object.assign(urlParams, req.params); } - if (params.populate) { - if (params.populate.includes(',')) { - params.populate = params.populate.split(','); - } else if (!Array.isArray(params.populate)) { - params.populate = [params.populate]; + if (queryParams.populate) { + if (queryParams.populate.includes(',')) { + queryParams.populate = queryParams.populate.split(','); + } else if (!Array.isArray(queryParams.populate)) { + queryParams.populate = [queryParams.populate]; } } const path = req.baseUrl + req.path; - return { context, params, headers, cookies, path, urlParams, queryParams, bodyParams }; + return { context, headers, cookies, path, urlParams, queryParams, bodyParams }; } export function validateParams(params: Params, routeDefinedParams: Params) {