Fix #22572 Invalid query for random string (#22573)

* Fix #22572 Invalid query for random string * Add changeset * Run prettier * Fix unit tests warnings * redo validation with Joi * make validation on object level documents itself and is cleaner to expand on * Update changeset * Allow integer only * Require min value of 1 * Report as query error, ignore unknown queries --------- Co-authored-by: Daniel Biegler <DanielBiegler@users.noreply.github.com> Co-authored-by: Pascal Jufer <pascal-jufer@bluewin.ch>
directus · May 26, 2024 · 7d2a139 · 7d2a139
1 parent 76c8a63
commit 7d2a139
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/.changeset/large-pans-dance.md b/.changeset/large-pans-dance.md
@@ -0,0 +1,5 @@
+---
+"@directus/api": patch
+---
+
+Fixed an issue where calling `/random/string` with an invalid length param could prevent creation of valid sessions until next restart
diff --git a/api/src/controllers/utils.ts b/api/src/controllers/utils.ts
@@ -14,18 +14,20 @@ import { sanitizeQuery } from '../utils/sanitize-query.js';
 
 const router = Router();
 
+const randomStringSchema = Joi.object<{ length: number }>({
+	length: Joi.number().integer().min(1).max(500).default(32),
+});
+
 router.get(
 	'/random/string',
 	asyncHandler(async (req, res) => {
 		const { nanoid } = await import('nanoid');
 
-		if (req.query && req.query['length'] && Number(req.query['length']) > 500) {
-			throw new InvalidQueryError({ reason: `"length" can't be more than 500 characters` });
-		}
+		const { error, value } = randomStringSchema.validate(req.query, { allowUnknown: true });
 
-		const string = nanoid(req.query?.['length'] ? Number(req.query['length']) : 32);
+		if (error) throw new InvalidQueryError({ reason: error.message });
 
-		return res.json({ data: string });
+		return res.json({ data: nanoid(value.length) });
 	}),
 );
 

diff --git a/api/src/services/graphql/index.ts b/api/src/services/graphql/index.ts
@@ -2536,11 +2536,11 @@ export class GraphQLService {
 				resolve: async (_, args) => {
 					const { nanoid } = await import('nanoid');
 
-					if (args['length'] && Number(args['length']) > 500) {
-						throw new InvalidPayloadError({ reason: `"length" can't be more than 500 characters` });
+					if (args['length'] !== undefined && (args['length'] < 1 || args['length'] > 500)) {
+						throw new InvalidPayloadError({ reason: `"length" must be between 1 and 500` });
 					}
 
-					return nanoid(args['length'] ? Number(args['length']) : 32);
+					return nanoid(args['length'] ? args['length'] : 32);
 				},
 			},
 			utils_hash_generate: {