-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent file uploads in pm.sendRequest
#351
Prevent file uploads in pm.sendRequest
#351
Conversation
3a91c14
to
2fbfa88
Compare
if (request.body.mode === REQUEST_BODY_MODE_FILE) { | ||
// clone the request and remove file in body | ||
sanitizedRequest = _.clone(request); | ||
delete sanitizedRequest.body.file; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsure if delete sanitizedRequest.body.file
is better or sanitizedRequest.body.file = {}
is better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please set the value to null
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it 👍
if (request.body.mode === REQUEST_BODY_MODE_FILE) { | ||
// clone the request and remove file in body | ||
sanitizedRequest = _.clone(request); | ||
delete sanitizedRequest.body.file; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please set the value to null
* @returns {Request~definition} | ||
*/ | ||
sanitizeFiles = function (request, warn) { | ||
var sanitizedRequest, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The var block can be shifted to below the next if
, makes the code easier to read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do 👍
if (sanitizedFormdata.length !== _.get(request, 'body.formdata.length')) { | ||
// clone the request and set form data without file params | ||
sanitizedRequest = _.clone(request); | ||
sanitizedRequest.formdata = sanitizedFormdata; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sanitisedRequest[REQUEST_BODY_MODE_FORMDATA] = sanitizedFormdata;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will change 👍
Is there any particular benefit of this or code quality in general?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there ever be a change in the name given to formdata bodies, we'll have to change it in just one place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah okay, makes sense.
|
||
// handle request body in `formdata` mode | ||
if (request.body.mode === REQUEST_BODY_MODE_FORMDATA) { | ||
// extract any file type params |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel this segment could be made cleaner by:
- Cloning the request.
- Traversing the members of the cloned formdata request body.
- Setting any encountered
src
values to null.
This ensures that at most one copy+traversal of the request/request-body is made. Currently, the request body has to be traversed once during _.reject
, and then a second time via clone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kunagpal the reason I do _.reject
first is, not all requests have file types in form data.
We should do a clone
only when we detect a file param. Otherwise, we would be doing the clone
even for requests without files
which is costlier than _.reject
of formdata
which would be much smaller.
This is another form of early bailout and deferring costly operations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough.
6c823b3
to
7d6a5f6
Compare
@kamalaknn Any specific reason for returning the sanitized request body via a callback? |
|
||
/** | ||
* Removes files in Request body if any. | ||
* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@private
this please
* @param {Function} callback function invoked with error and sanitizedRequest. | ||
* sanitizedRequest is `null` if no files are detected. | ||
*/ | ||
sanitizeFiles = function (request, callback) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think callback should always get the request from parameter so that it doesn't have to refer to the outer closure. ... as such the signature of callback could be error:Error, request:Request, affectedEntries:Array.<src:String>
- in this way, we would know that nothing was affected if _.isEmpty(affectedEntries) = true
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shamasis I have a question.
If callback always gets the request, raw or mutated, how is that different from the synchronous version with the return?
Also, the signature of affectedEntries
is not always an Array
, it could the entire body for file
mode. If I had to send the raw request and affected entries, and let the callback do the reconstruction of new request then sanitizeFiles
would not do much and it leaks concerns, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var outerFunction = function (request, callback) {
innerFunction(request, function (request) {
if (!request) { return callback(new Error()); }
callback(null, request);
});
};
var innerFunction = function (callback) {
};
// we can then write
outerFunction(myReqFromSandbox, function (err, ...) {});
return; | ||
} | ||
|
||
var tempRequest = request, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we would not need tempRequest
variable if sanitiseFIles always return a request or null if request itself is missing / cannot be constructed.
// clone cursor and add source | ||
var cursorWithSource = _.clone(cursor), | ||
// remove files in request body if any | ||
sanitizeFiles(request, function (err, sanitizedRequest, affectedEntries) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
call this parameter request
itself so that it overrides the outer closure variable in request and prevent bigs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I renamed it so linter does not complain about duplicate variable names.
Will change.
* release/6.2.6: (49 commits) Released v6.2.6 fix(package): update postman-sandbox to version 2.3.1 fix(package): update postman-collection to version 2.1.1 Move new cursor properties to _properties affetcedEntries -> sanitizedFiles Updated sanitiseFiles to mutate request and reduced code complexity chore(package): update sinon to version 3.2.1 sanitizedRequest -> request so that it overrides closure Use `cloneDeep` for cloning requests. Change signature of callback to accept sanitizedRequest and affectedEntries Make sanitizeFiles async Addressed PR #351 comments Set body.file to null instead of `delete` Added tests for requests with file uploads Sanitize files in request body if present chore(package): update editorconfig to version 0.14.1 chore(package): update tmp to version 0.0.33 chore(package): update sinon to version 3.2.0 Update package.json towards v6.2.6-beta.2 release Update postman-sandbox to 2.3.1-beta.3 ...
No description provided.