New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prevent unsupported operation call #154
Conversation
1 similar comment
@@ -223,7 +224,7 @@ function executeRequest (request, resolve, reject) { | |||
var service; | |||
try { | |||
service = Fetcher.getService(request.resource); | |||
if (!service[op]) { | |||
if ([OP_CREATE,OP_READ,OP_UPDATE,OP_DELETE].indexOf(op) < 0 || !service[op]) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nysd Thanks for your contribution!
How about moving this check before the line above, and checking using ===
explictly to avoid allocating an array and doing an indexOf every time request is executed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lingyan Thanks for your advice.
I agree with you and I moved this check from 'executeRequest' to 'Request' function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nysd Instead of moving this check to Request
constructor and adding another try/catch, which is known to de-optimze the function for v8 engine, can we just do this check after line 431 the if (!Fetcher.isRegistered(singleRequest.resource)) {
block, and call next(error)
directly? Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lingyan Thanks for your advice. I moved the operation check from Request
constructor to after !Fetchr.isRegistered
block. Please confirm my code.
CLA is valid! |
1 similar comment
👍 Thanks! @nysd |
Released in fetcher@0.5.34 |
I think fetcher.js should allow only 'read,create,update,delete' operations that fetchr.client supports.
because I could call any operation like 'constructor'. this may cause serious security problem.