Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(find): fix sql injection issue #225

Merged
merged 5 commits into from Oct 31, 2019

Conversation

@goldcaddy77
Copy link
Owner

goldcaddy77 commented Oct 17, 2019

No description provided.

switch (operator) {
case 'eq':
if (value === null) {
return [attr, IsNull()];

This comment has been minimized.

Copy link
@goldcaddy77

goldcaddy77 Oct 17, 2019

Author Owner

TODO: translate these operators to the equivalent query builder operations


// extends WhereInput
addQueryBuilderWhere<E, W extends any>(qb: QueryBuilder<E>, where: W) {
const whereOptions: { [key: string]: FindOperator<any> } = {};

This comment has been minimized.

Copy link
@goldcaddy77

goldcaddy77 Oct 29, 2019

Author Owner

No longer return anything here

src/torm/operators.ts Show resolved Hide resolved
Object.keys(where).forEach(k => {
const key = k as keyof W;
const [attr, operator] = addQueryBuilderWhereItem(qb, String(key), where[key]);
whereOptions[attr] = operator;

This comment has been minimized.

Copy link
@goldcaddy77

goldcaddy77 Oct 29, 2019

Author Owner
createQueryBuilder("user")
    .where("user.firstName = :firstName", { firstName: "Timber" })
    .andWhere("user.lastName = :lastName", { lastName: "Saw" });
src/core/BaseService.ts Show resolved Hide resolved
@goldcaddy77 goldcaddy77 force-pushed the fix-sql-injection branch from 54c5a09 to 4fe6305 Oct 30, 2019
@@ -30,7 +30,6 @@ describe('Server', () => {
expect(server.schema).toBeTruthy();
expect(appListenSpy).toHaveBeenCalledTimes(0);
expect(hasGraphQlRoute(server.expressApp._router)).toBeTruthy();
expect(server.expressApp.settings.env).toEqual('test');

This comment has been minimized.

Copy link
@goldcaddy77

goldcaddy77 Oct 30, 2019

Author Owner

Ask Ian about this.

@goldcaddy77 goldcaddy77 force-pushed the fix-sql-injection branch 3 times, most recently from 98c3b4c to c85d785 Oct 30, 2019
@goldcaddy77 goldcaddy77 force-pushed the fix-sql-injection branch from c85d785 to 783d1b1 Oct 31, 2019
@codecov

This comment has been minimized.

Copy link

codecov bot commented Oct 31, 2019

Codecov Report

Merging #225 into master will decrease coverage by 0.16%.
The diff coverage is 89.74%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #225      +/-   ##
==========================================
- Coverage   90.77%   90.61%   -0.17%     
==========================================
  Files          67       67              
  Lines        1399     1407       +8     
  Branches      296      298       +2     
==========================================
+ Hits         1270     1275       +5     
- Misses        129      132       +3
Flag Coverage Δ
#backend 90.61% <89.74%> (-0.17%) ⬇️
Impacted Files Coverage Δ
src/torm/operators.ts 85.18% <85.71%> (-7.68%) ⬇️
src/core/BaseService.ts 92.55% <92%> (-0.39%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ceb5401...d37bc5f. Read the comment docs.

@goldcaddy77 goldcaddy77 force-pushed the fix-sql-injection branch from 783d1b1 to d37bc5f Oct 31, 2019
@goldcaddy77 goldcaddy77 merged commit 8f68e42 into master Oct 31, 2019
1 of 3 checks passed
1 of 3 checks passed
codecov/patch 89.74% of diff hit (target 90.77%)
Details
codecov/project 90.61% (-0.17%) compared to ceb5401
Details
ci/circleci: build Your tests passed on CircleCI!
Details
@goldcaddy77

This comment has been minimized.

Copy link
Owner Author

goldcaddy77 commented Oct 31, 2019

🎉 This PR is included in version 1.45.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.