From 71b49a076ef30719b60a7938229aafac89e33cfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ot=C3=A1vio=20Jacobi?= Date: Fri, 20 Oct 2023 17:43:15 -0300 Subject: [PATCH] Blocks updating and creating webresources with non multipart-formdata requests Change-type: patch --- package.json | 1 - src/sbvr-api/hooks.ts | 1 + src/webresource-handler/index.ts | 20 ++++- test/06-webresource.test.ts | 76 +++++++++++++++++++ .../06-webresource/translations/v1/hooks.ts | 2 +- 5 files changed, 96 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index dcb240b9a..b85636b65 100644 --- a/package.json +++ b/package.json @@ -59,7 +59,6 @@ "memoizee": "^0.4.15", "pinejs-client-core": "^6.13.0", "randomstring": "^1.2.3", - "type-is": "^1.6.18", "typed-error": "^3.2.2" }, "devDependencies": { diff --git a/src/sbvr-api/hooks.ts b/src/sbvr-api/hooks.ts index 3f7e5ed04..ebbf1722d 100644 --- a/src/sbvr-api/hooks.ts +++ b/src/sbvr-api/hooks.ts @@ -29,6 +29,7 @@ export interface HookReq { custom?: AnyObject; tx?: Tx; hooks?: InstantiatedHooks; + is?: (type: string | string[]) => string | false | null; } export interface HookArgs { req: HookReq; diff --git a/src/webresource-handler/index.ts b/src/webresource-handler/index.ts index 1fabe9c1e..cae869cd2 100644 --- a/src/webresource-handler/index.ts +++ b/src/webresource-handler/index.ts @@ -1,9 +1,9 @@ import type * as Express from 'express'; import * as busboy from 'busboy'; -import * as is from 'type-is'; import * as stream from 'stream'; import * as uriParser from '../sbvr-api/uri-parser'; import * as sbvrUtils from '../sbvr-api/sbvr-utils'; +import type { HookArgs } from '../sbvr-api/hooks'; import { getApiRoot, getModel } from '../sbvr-api/sbvr-utils'; import { checkPermissions } from '../sbvr-api/permissions'; import { NoopHandler } from './handlers/NoopHandler'; @@ -108,7 +108,7 @@ export const getUploaderMiddlware = ( handler: WebResourceHandler, ): Express.RequestHandler => { return async (req, res, next) => { - if (!is(req, ['multipart'])) { + if (!req.is('multipart')) { return next(); } const uploadedFilePaths: string[] = []; @@ -226,10 +226,25 @@ const deleteFiles = async ( await Promise.all(promises); }; +const removeWebresourceInNonMultipartRequests = async ({ + req, + request, +}: HookArgs) => { + if (!req.is?.('multipart')) { + const webResourceFields = getWebResourceFields(request); + for (const field of webResourceFields) { + if (request.values[field] != null) { + delete request.values[field]; + } + } + } +}; + const getCreateWebResourceHooks = ( webResourceHandler: WebResourceHandler, ): sbvrUtils.Hooks => { return { + POSTPARSE: removeWebresourceInNonMultipartRequests, 'POSTRUN-ERROR': async ({ tx, request }) => { tx?.on('rollback', () => { void deleteRollbackPendingFields(request, webResourceHandler); @@ -268,6 +283,7 @@ const getRemoveWebResourceHooks = ( webResourceHandler: WebResourceHandler, ): sbvrUtils.Hooks => { return { + POSTPARSE: removeWebresourceInNonMultipartRequests, PRERUN: async (args) => { const { api, request, tx } = args; let webResourceFields = getWebResourceFields(request); diff --git a/test/06-webresource.test.ts b/test/06-webresource.test.ts index dba30fa8b..b5b57369d 100644 --- a/test/06-webresource.test.ts +++ b/test/06-webresource.test.ts @@ -484,6 +484,82 @@ describe('06 webresources tests', function () { expect(await isEventuallyDeleted(uniqueFilename)).to.be.true; }); + it('should not accept webresource payload on application/json requests', async () => { + const uniqueFilename = `${randomUUID()}_${filename}`; + + const { body: organization } = await supertest(testLocalServer) + .post(`/${resourceName}/organization`) + .send({ + name: 'John', + [resourcePath]: { + filename: uniqueFilename, + content_type: contentType, + size: fileSize, + href: 'http://dummy/bucket/other_href', + }, + }) + .expect(201); + + expect(organization[resourcePath]).to.be.null; + const getRes = await supertest(testLocalServer) + .get(`/${resourceName}/organization(${organization.id})`) + .expect(200); + + expect(getRes.body.d[0][resourcePath]).to.be.null; + }); + + it('does not modify stored file if uploading with application/json requests', async () => { + const uniqueFilename = `${randomUUID()}_${filename}`; + + const { body: organization } = await supertest(testLocalServer) + .post(`/${resourceName}/organization`) + .field('name', 'john') + .attach(resourcePath, filePath, { + filename: uniqueFilename, + contentType, + }) + .expect(201); + + const href = organization[resourcePath].href; + + await supertest(testLocalServer) + .patch(`/${resourceName}/organization(${organization.id})`) + .send({ name: 'test' }) + .expect(200); + + const getRes = await supertest(testLocalServer) + .get(`/${resourceName}/organization(${organization.id})`) + .expect(200); + + expect(getRes.body.d[0].name).to.be.eq('test'); + expect(getRes.body.d[0][resourcePath].href).to.be.eq(href); + }); + + it('should delete resource in S3 when passing null in application/json request', async () => { + const uniqueFilename = `${randomUUID()}_${filename}`; + + const { body: organization } = await supertest(testLocalServer) + .post(`/${resourceName}/organization`) + .field('name', 'john') + .attach(resourcePath, filePath, { + filename: uniqueFilename, + contentType, + }) + .expect(201); + + await supertest(testLocalServer) + .patch(`/${resourceName}/organization(${organization.id})`) + .send({ [resourcePath]: null }) + .expect(200); + + const getRes = await supertest(testLocalServer) + .get(`/${resourceName}/organization(${organization.id})`) + .expect(200); + + expect(getRes.body.d[0][resourcePath]).to.be.null; + expect(await isEventuallyDeleted(uniqueFilename)).to.be.true; + }); + it('does not fail to serve if S3 resource is deleted but entry exists', async () => { // This tests the current behavior, but we might want to change it in the future // because the current behavior allows for a dangling reference to exist diff --git a/test/fixtures/06-webresource/translations/v1/hooks.ts b/test/fixtures/06-webresource/translations/v1/hooks.ts index a6d3c659e..c4cb2e098 100644 --- a/test/fixtures/06-webresource/translations/v1/hooks.ts +++ b/test/fixtures/06-webresource/translations/v1/hooks.ts @@ -10,7 +10,7 @@ const addHook = ( addHook(['PUT', 'POST', 'PATCH'], 'organization', { async POSTPARSE({ request }) { - if (request.values.other_image) { + if (request.values.other_image !== undefined) { request.values.logo_image = request.values.other_image; delete request.values.other_image; }