Sanitize query for item read/update/delete operations in Flows #13900
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fixes #13745
Problem
Normally requests pass through
sanitizeQueryMiddleware
:directus/api/src/middleware/sanitize-query.ts
Line 10 in e085228
which with the context of the reported issue in mind, includes
sanitizeFilter
that subsequently usesparseFilter
to parse dynamic variables such as$NOW(-24 hours)
:directus/api/src/utils/sanitize-query.ts
Lines 116 to 128 in 9b6e143
However, the item read/update/delete operations doesn't go through the same middleware, thus the queries are not sanitized nor parsed. This then causes error on PostgreSQL as it'll try to use the unparsed dynamic variable directly in the query:
select "events"."id", "events"."timestamp" from "events" where "events"."timestamp" <= ? order by "events"."id" asc limit ? [ '$NOW(-24 hours)', 100 ]
SQLite doesn't really throw an error, but we can also see that it's using NaN instead so the filter is incorrect:
select `events`.`id`, `events`.`timestamp` from `events` where `events`.`timestamp` <= ? order by `events`.`id` asc limit ? [NaN, 100]
Solution
Use
sanitizeQuery
util function within item read/update/delete operations.Formed query in SQlite:
select `events`.`id`, `events`.`timestamp` from `events` where `events`.`timestamp` <= ? order by `events`.`id` asc limit ? [1655102827181, 100]
Formed query in PostgreSQL:
select "events"."id", "events"."timestamp" from "events" where "events"."timestamp" <= $1 order by "events"."id" asc limit $2 [Tue Jun 14 2022 15:08:21 GMT+0800 (Singapore Standard Time), 100]
Type of Change
Requirements Checklist
If adding a new feature: