Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize query for item read/update/delete operations in Flows #13900

Merged
merged 1 commit into from Jun 15, 2022
Merged

Sanitize query for item read/update/delete operations in Flows #13900

merged 1 commit into from Jun 15, 2022

Conversation

azrikahar
Copy link
Contributor

Description

Fixes #13745

Problem

Normally requests pass through sanitizeQueryMiddleware:

directus/api/src/middleware/sanitize-query.ts

Line 10 in e085228

const sanitizeQueryMiddleware: RequestHandler = (req, _res, next) => {

which with the context of the reported issue in mind, includes sanitizeFilter that subsequently uses parseFilter to parse dynamic variables such as $NOW(-24 hours):

directus/api/src/utils/sanitize-query.ts

Lines 116 to 128 in 9b6e143

function sanitizeFilter(rawFilter: any, accountability: Accountability | null) {
let filters: Filter | null = rawFilter;
if (typeof rawFilter === 'string') {
try {
filters = parseJSON(rawFilter);
} catch {
logger.warn('Invalid value passed for filter query parameter.');
}
}
return parseFilter(filters, accountability);
}

However, the item read/update/delete operations doesn't go through the same middleware, thus the queries are not sanitized nor parsed. This then causes error on PostgreSQL as it'll try to use the unparsed dynamic variable directly in the query:

select "events"."id", "events"."timestamp" from "events" where "events"."timestamp" <= ? order by "events"."id" asc limit ? [ '$NOW(-24 hours)', 100 ]

SQLite doesn't really throw an error, but we can also see that it's using NaN instead so the filter is incorrect:

select `events`.`id`, `events`.`timestamp` from `events` where `events`.`timestamp` <= ? order by `events`.`id` asc limit ? [NaN, 100]

Solution

Use sanitizeQuery util function within item read/update/delete operations.

  • Formed query in SQlite: select `events`.`id`, `events`.`timestamp` from `events` where `events`.`timestamp` <= ? order by `events`.`id` asc limit ? [1655102827181, 100]

  • Formed query in PostgreSQL: select "events"."id", "events"."timestamp" from "events" where "events"."timestamp" <= $1 order by "events"."id" asc limit $2 [Tue Jun 14 2022 15:08:21 GMT+0800 (Singapore Standard Time), 100]

Type of Change

  • Bugfix
  • New Feature
  • Refactor / codestyle updates
  • Other, please describe:

Requirements Checklist

  • New / updated tests are included
  • All tests are passing locally
  • Performed a self-review of the submitted code

If adding a new feature:

  • Documentation was added/updated

@rijkvanzanten rijkvanzanten self-assigned this Jun 15, 2022
@rijkvanzanten rijkvanzanten added this to the v9-next milestone Jun 15, 2022
@rijkvanzanten rijkvanzanten merged commit 7cefbc9 into main Jun 15, 2022
@rijkvanzanten rijkvanzanten deleted the fix/13745 branch June 15, 2022 12:13
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rijkvanzanten rijkvanzanten rijkvanzanten approved these changes

Assignees

@rijkvanzanten rijkvanzanten

Labels
🍰 Bug
Projects
None yet
Milestone
v9.13.0
Development

Successfully merging this pull request may close these issues.

Flows - Read Data and filter: invalid input syntax for type timestamp with time zone
2 participants
@azrikahar @rijkvanzanten