Chore: Rest API query parameters handling (#25648)

RocketChat · May 26, 2022 · 31ae30f · 31ae30f
1 parent 052858d
commit 31ae30f
Show file tree

Hide file tree

Showing 9 changed files with 445 additions and 124 deletions.
diff --git a/apps/meteor/.mocharc.api.js b/apps/meteor/.mocharc.api.js
@@ -9,5 +9,5 @@ module.exports = {
 	timeout: 10000,
 	bail: true,
 	file: 'tests/end-to-end/teardown.js',
-	spec: ['tests/end-to-end/api/*.js', 'tests/end-to-end/api/*.ts', 'tests/end-to-end/apps/*.js'],
+	spec: ['tests/unit/app/api/server/v1/*.spec.ts', 'tests/end-to-end/api/*.js', 'tests/end-to-end/api/*.ts', 'tests/end-to-end/apps/*.js'],
 };
diff --git a/apps/meteor/app/api/server/api.d.ts b/apps/meteor/app/api/server/api.d.ts
@@ -143,7 +143,7 @@ type Operations<TPathPattern extends PathPattern, TOptions extends Options = {}>
 };
 
 declare class APIClass<TBasePath extends string = '/'> {
-	fieldSeparator(fieldSeparator: unknown): void;
+	fieldSeparator: string;
 
 	limitedUserFieldsToExclude(fields: { [x: string]: unknown }, limitedUserFieldsToExclude: unknown): { [x: string]: unknown };
 

diff --git a/apps/meteor/app/api/server/api.js b/apps/meteor/app/api/server/api.js
@@ -425,6 +425,9 @@ export class APIClass extends Restivus {
 							connection,
 						});
 
+						this.queryOperations = options.queryOperations;
+						this.queryFields = options.queryFields;
+
 						result = DDP._CurrentInvocation.withValue(invocation, () => Promise.await(originalAction.apply(this))) || API.v1.success();
 
 						log.http({

diff --git a/apps/meteor/app/api/server/helpers/parseJsonQuery.js b/apps/meteor/app/api/server/helpers/parseJsonQuery.js
diff --git a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts
@@ -0,0 +1,142 @@
+import { Meteor } from 'meteor/meteor';
+import { EJSON } from 'meteor/ejson';
+
+import { hasPermission } from '../../../authorization/server';
+import { isValidQuery } from '../lib/isValidQuery';
+import { clean } from '../lib/cleanQuery';
+import { API } from '../api';
+
+const pathAllowConf = {
+	'/api/v1/users.list': ['$or', '$regex', '$and'],
+	'def': ['$or', '$and', '$regex'],
+};
+
+API.helperMethods.set(
+	'parseJsonQuery',
+	function _parseJsonQuery(this: {
+		request: {
+			route: string;
+		};
+		queryParams: {
+			query?: string;
+			sort?: string;
+			fields?: string;
+		};
+		logger: any;
+		userId: string;
+		queryFields: string[];
+		queryOperations: string[];
+	}) {
+		let sort;
+		if (this.queryParams.sort) {
+			try {
+				sort = JSON.parse(this.queryParams.sort);
+				Object.entries(sort).forEach(([key, value]) => {
+					if (value !== 1 && value !== -1) {
+						throw new Meteor.Error('error-invalid-sort-parameter', `Invalid sort parameter: ${key}`, {
+							helperMethod: 'parseJsonQuery',
+						});
+					}
+				});
+			} catch (e) {
+				this.logger.warn(`Invalid sort parameter provided "${this.queryParams.sort}":`, e);
+				throw new Meteor.Error('error-invalid-sort', `Invalid sort parameter provided: "${this.queryParams.sort}"`, {
+					helperMethod: 'parseJsonQuery',
+				});
+			}
+		}
+
+		let fields: Record<string, 0 | 1> | undefined;
+		if (this.queryParams.fields) {
+			try {
+				fields = JSON.parse(this.queryParams.fields) as Record<string, 0 | 1>;
+
+				Object.entries(fields).forEach(([key, value]) => {
+					if (value !== 1 && value !== 0) {
+						throw new Meteor.Error('error-invalid-sort-parameter', `Invalid fields parameter: ${key}`, {
+							helperMethod: 'parseJsonQuery',
+						});
+					}
+				});
+			} catch (e) {
+				this.logger.warn(`Invalid fields parameter provided "${this.queryParams.fields}":`, e);
+				throw new Meteor.Error('error-invalid-fields', `Invalid fields parameter provided: "${this.queryParams.fields}"`, {
+					helperMethod: 'parseJsonQuery',
+				});
+			}
+		}
+
+		// Verify the user's selected fields only contains ones which their role allows
+		if (typeof fields === 'object') {
+			let nonSelectableFields = Object.keys(API.v1.defaultFieldsToExclude);
+			if (this.request.route.includes('/v1/users.')) {
+				const getFields = () =>
+					Object.keys(
+						hasPermission(this.userId, 'view-full-other-user-info')
+							? API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser
+							: API.v1.limitedUserFieldsToExclude,
+					);
+				nonSelectableFields = nonSelectableFields.concat(getFields());
+			}
+
+			Object.keys(fields).forEach((k) => {
+				if (nonSelectableFields.includes(k) || nonSelectableFields.includes(k.split(API.v1.fieldSeparator)[0])) {
+					fields && delete fields[k as keyof typeof fields];
+				}
+			});
+		}
+
+		// Limit the fields by default
+		fields = Object.assign({}, fields, API.v1.defaultFieldsToExclude);
+		if (this.request.route.includes('/v1/users.')) {
+			if (hasPermission(this.userId, 'view-full-other-user-info')) {
+				fields = Object.assign(fields, API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser);
+			} else {
+				fields = Object.assign(fields, API.v1.limitedUserFieldsToExclude);
+			}
+		}
+
+		let query: Record<string, any> = {};
+		if (this.queryParams.query) {
+			this.logger.warn('attribute query is deprecated');
+			try {
+				query = EJSON.parse(this.queryParams.query);
+				query = clean(query, pathAllowConf.def);
+			} catch (e) {
+				this.logger.warn(`Invalid query parameter provided "${this.queryParams.query}":`, e);
+				throw new Meteor.Error('error-invalid-query', `Invalid query parameter provided: "${this.queryParams.query}"`, {
+					helperMethod: 'parseJsonQuery',
+				});
+			}
+		}
+
+		// Verify the user has permission to query the fields they are
+		if (typeof query === 'object') {
+			let nonQueryableFields = Object.keys(API.v1.defaultFieldsToExclude);
+
+			if (this.request.route.includes('/v1/users.')) {
+				if (hasPermission(this.userId, 'view-full-other-user-info')) {
+					nonQueryableFields = nonQueryableFields.concat(Object.keys(API.v1.limitedUserFieldsToExcludeIfIsPrivilegedUser));
+				} else {
+					nonQueryableFields = nonQueryableFields.concat(Object.keys(API.v1.limitedUserFieldsToExclude));
+				}
+			}
+
+			if (this.queryFields && !isValidQuery(query, this.queryFields || ['*'], this.queryOperations ?? pathAllowConf.def)) {
+				throw new Meteor.Error('error-invalid-query', isValidQuery.errors.join('\n'));
+			}
+
+			Object.keys(query).forEach((k) => {
+				if (nonQueryableFields.includes(k) || nonQueryableFields.includes(k.split(API.v1.fieldSeparator)[0])) {
+					query && delete query[k];
+				}
+			});
+		}
+
+		return {
+			sort,
+			fields,
+			query,
+		};
+	},
+);
diff --git a/apps/meteor/app/api/server/lib/cleanQuery.ts b/apps/meteor/app/api/server/lib/cleanQuery.ts
@@ -2,7 +2,7 @@ type Query = { [k: string]: any };
 
 const denyList = ['constructor', '__proto__', 'prototype'];
 
-const removeDangerousProps = (v: Query): Query => {
+export const removeDangerousProps = (v: Query): Query => {
 	const query = Object.create(null);
 	for (const key in v) {
 		if (v.hasOwnProperty(key) && !denyList.includes(key)) {
@@ -12,7 +12,7 @@ const removeDangerousProps = (v: Query): Query => {
 
 	return query;
 };
-
+/* @deprecated */
 export function clean(v: Query, allowList: string[] = []): Query {
 	const typedParam = removeDangerousProps(v);
 	if (v instanceof Object) {

diff --git a/apps/meteor/app/api/server/lib/isValidQuery.ts b/apps/meteor/app/api/server/lib/isValidQuery.ts
@@ -0,0 +1,58 @@
+import { removeDangerousProps } from './cleanQuery';
+
+type Query = { [k: string]: any };
+
+export const isValidQuery: {
+	(query: Query, allowedAttributes: string[], allowedOperations: string[]): boolean;
+	errors: string[];
+} = Object.assign(
+	(query: Query, allowedAttributes: string[], allowedOperations: string[]): boolean => {
+		isValidQuery.errors = [];
+		if (!(query instanceof Object)) {
+			throw new Error('query must be an object');
+		}
+
+		// eslint-disable-next-line @typescript-eslint/no-use-before-define
+		return verifyQuery(query, allowedAttributes, allowedOperations);
+	},
+	{
+		errors: [],
+	},
+);
+
+export const verifyQuery = (query: Query, allowedAttributes: string[], allowedOperations: string[], parent = ''): boolean => {
+	return Object.entries(removeDangerousProps(query)).every(([key, value]) => {
+		const path = parent ? `${parent}.${key}` : key;
+		if (parent === '' && path.startsWith('$')) {
+			if (!allowedOperations.includes(path)) {
+				isValidQuery.errors.push(`Invalid operation: ${path}`);
+				return false;
+			}
+			if (!Array.isArray(value)) {
+				isValidQuery.errors.push(`Invalid parameter for operation: ${path} : ${value}`);
+				return false;
+			}
+			return value.every((v) => verifyQuery(v, allowedAttributes, allowedOperations));
+		}
+
+		if (
+			!allowedAttributes.some((allowedAttribute) => {
+				if (allowedAttribute.endsWith('.*')) {
+					return path.startsWith(allowedAttribute.replace('.*', ''));
+				}
+				if (allowedAttribute.endsWith('*') && !allowedAttribute.endsWith('.*')) {
+					return true;
+				}
+				return path === allowedAttribute;
+			})
+		) {
+			isValidQuery.errors.push(`Invalid attribute: ${path}`);
+			return false;
+		}
+
+		if (value instanceof Object) {
+			return verifyQuery(value, allowedAttributes, allowedOperations, path);
+		}
+		return true;
+	});
+};