Fix sql injection and add test cases

This commit is contained in:
Raymond Feng 2014-05-30 15:15:27 -07:00
parent 0208b082df
commit 51bf6e1034
2 changed files with 486 additions and 16 deletions

View File

@ -203,7 +203,7 @@ MySQL.prototype.create = function (model, data, callback) {
* @param {Object} data The model instance data
* @param {Function} [callback] The callback function
*/
MySQL.prototype.updateOrCreate = function (model, data, callback) {
MySQL.prototype.updateOrCreate = MySQL.prototype.save = function (model, data, callback) {
var mysql = this;
var fieldsNames = [];
var fieldValues = [];
@ -244,7 +244,9 @@ MySQL.prototype.toFields = function (model, data) {
Object.keys(data).forEach(function (key) {
if (props[key]) {
var value = this.toDatabase(props[key], data[key]);
if ('undefined' === typeof value) return;
if (undefined === value) {
return;
}
fields.push(self.columnEscaped(model, key) + ' = ' + value);
}
}.bind(this));
@ -271,8 +273,9 @@ function dateToMysql(val) {
* @returns {*}
*/
MySQL.prototype.toDatabase = function (prop, val) {
if (val === null) return 'NULL';
if (val === undefined) return 'NULL';
if (val === null || val === undefined) {
return 'NULL';
}
if (val.constructor.name === 'Object') {
var operator = Object.keys(val)[0]
val = val[operator];
@ -280,27 +283,36 @@ MySQL.prototype.toDatabase = function (prop, val) {
return this.toDatabase(prop, val[0]) +
' AND ' +
this.toDatabase(prop, val[1]);
} else if (operator == 'inq' || operator == 'nin') {
if (!(val.propertyIsEnumerable('length')) && typeof val === 'object' && typeof val.length === 'number') { //if value is array
} else if (operator === 'inq' || operator === 'nin') {
if (Array.isArray(val)) { //if value is array
for (var i = 0; i < val.length; i++) {
val[i] = this.client.escape(val[i]);
val[i] = this.toDatabase(prop, val[i]);
}
return val.join(',');
} else {
return val;
return this.toDatabase(prop, val);
}
}
}
if (!prop) return val;
if (prop.type.name === 'Number') return Number(val);
if (prop.type.name === 'Date') {
if (!val) return 'NULL';
if (!prop) {
return this.client.escape(val);
}
if (prop.type === Number) {
val = Number(val);
return isNaN(val) ? 'NULL' : val;
}
if (prop.type === Date) {
if (!val) {
return 'NULL';
}
if (!val.toUTCString) {
val = new Date(val);
}
return '"' + dateToMysql(val) + '"';
}
if (prop.type.name == "Boolean") return val ? 1 : 0;
if (prop.type === Boolean) {
return val ? 1 : 0;
}
if (prop.type.name === 'GeoPoint') {
return val ? 'Point(' + val.lat + ',' + val.lng + ')' : 'NULL';
}
@ -399,6 +411,9 @@ MySQL.prototype.buildWhere = function (model, conds) {
};
MySQL.prototype._buildWhere = function (model, conds) {
if (conds === null || conds === undefined || (typeof conds !== 'object')) {
return '';
}
var self = this;
var props = self._models[model].properties;
@ -483,7 +498,13 @@ function buildOrderBy(self, model, order) {
}
function buildLimit(limit, offset) {
return 'LIMIT ' + (offset ? (offset + ', ' + limit) : limit);
if (isNaN(limit)) {
limit = 0;
}
if (isNaN(offset)) {
offset = 0;
}
return 'LIMIT ' + (offset ? (offset + ',' + limit) : limit);
}
/**
@ -517,7 +538,7 @@ MySQL.prototype.all = function all(model, filter, callback) {
}
if (filter.limit) {
sql += ' ' + buildLimit(filter.limit, filter.skip || 0);
sql += ' ' + buildLimit(filter.limit, filter.skip || filter.offset || 0);
}
}
@ -541,6 +562,21 @@ MySQL.prototype.all = function all(model, filter, callback) {
};
MySQL.prototype.count = function count(model, callback, where) {
this.query('SELECT count(*) as cnt FROM ' +
this.tableEscaped(model) + ' ' + this.buildWhere(model, where),
function (err, res) {
if (err) {
return callback(err);
}
var c = (res && res[0] && res[0].cnt) || 0;
callback(err, c);
});
};
/**
* Delete instances for the given model
*
@ -554,7 +590,7 @@ MySQL.prototype.destroyAll = function destroyAll(model, where, callback) {
callback = where;
where = undefined;
}
this.query('DELETE FROM '
this.query('DELETE FROM '
+ this.tableEscaped(model) + ' ' + this.buildWhere(model, where || {}),
function (err, data) {
callback && callback(err, data);

434
test/mysql.test.js Normal file
View File

@ -0,0 +1,434 @@
var should = require('./init.js');
var Post, PostWithStringId, db;
describe('mysql', function () {
before(function (done) {
db = getDataSource();
Post = db.define('PostWithDefaultId', {
title: { type: String, length: 255, index: true },
content: { type: String },
stars: Number
});
PostWithStringId = db.define('PostWithStringId', {
id: {type: String, id: true},
title: { type: String, length: 255, index: true },
content: { type: String }
});
db.automigrate(['PostWithDefaultId', 'PostWithStringId'], function (err) {
should.not.exist(err);
done(err);
});
});
beforeEach(function (done) {
Post.destroyAll(function () {
PostWithStringId.destroyAll(function () {
done();
});
});
});
it('updateOrCreate should update the instance', function (done) {
Post.create({title: 'a', content: 'AAA'}, function (err, post) {
post.title = 'b';
Post.updateOrCreate(post, function (err, p) {
should.not.exist(err);
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
Post.findById(post.id, function (err, p) {
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
p.title.should.be.equal('b');
done();
});
});
});
});
it('updateOrCreate should update the instance without removing existing properties', function (done) {
Post.create({title: 'a', content: 'AAA'}, function (err, post) {
post = post.toObject();
delete post.title;
Post.updateOrCreate(post, function (err, p) {
should.not.exist(err);
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
Post.findById(post.id, function (err, p) {
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
p.title.should.be.equal('a');
done();
});
});
});
});
it('updateOrCreate should create a new instance if it does not exist', function (done) {
var post = {id: 123, title: 'a', content: 'AAA'};
Post.updateOrCreate(post, function (err, p) {
should.not.exist(err);
p.title.should.be.equal(post.title);
p.content.should.be.equal(post.content);
p.id.should.be.equal(post.id);
Post.findById(p.id, function (err, p) {
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
p.title.should.be.equal(post.title);
p.id.should.be.equal(post.id);
done();
});
});
});
it('save should update the instance with the same id', function (done) {
Post.create({title: 'a', content: 'AAA'}, function (err, post) {
post.title = 'b';
post.save(function (err, p) {
should.not.exist(err);
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
Post.findById(post.id, function (err, p) {
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
p.title.should.be.equal('b');
done();
});
});
});
});
it('save should update the instance without removing existing properties', function (done) {
Post.create({title: 'a', content: 'AAA'}, function (err, post) {
delete post.title;
post.save(function (err, p) {
should.not.exist(err);
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
Post.findById(post.id, function (err, p) {
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
p.title.should.be.equal('a');
done();
});
});
});
});
it('save should create a new instance if it does not exist', function (done) {
var post = new Post({id: 123, title: 'a', content: 'AAA'});
post.save(post, function (err, p) {
should.not.exist(err);
p.title.should.be.equal(post.title);
p.content.should.be.equal(post.content);
p.id.should.be.equal(post.id);
Post.findById(p.id, function (err, p) {
should.not.exist(err);
p.id.should.be.equal(post.id);
p.content.should.be.equal(post.content);
p.title.should.be.equal(post.title);
p.id.should.be.equal(post.id);
done();
});
});
});
it('all return should honor filter.fields', function (done) {
var post = new Post({title: 'b', content: 'BBB'})
post.save(function (err, post) {
Post.all({fields: ['title'], where: {title: 'b'}}, function (err, posts) {
should.not.exist(err);
posts.should.have.lengthOf(1);
post = posts[0];
post.should.have.property('title', 'b');
post.should.not.have.property('content');
should.not.exist(post.id);
done();
});
});
});
it('find should order by id if the order is not set for the query filter',
function (done) {
PostWithStringId.create({id: '2', title: 'c', content: 'CCC'}, function (err, post) {
PostWithStringId.create({id: '1', title: 'd', content: 'DDD'}, function (err, post) {
PostWithStringId.find(function (err, posts) {
should.not.exist(err);
posts.length.should.be.equal(2);
posts[0].id.should.be.equal('1');
PostWithStringId.find({limit: 1, offset: 0}, function (err, posts) {
should.not.exist(err);
posts.length.should.be.equal(1);
posts[0].id.should.be.equal('1');
PostWithStringId.find({limit: 1, offset: 1}, function (err, posts) {
should.not.exist(err);
posts.length.should.be.equal(1);
posts[0].id.should.be.equal('2');
done();
});
});
});
});
});
});
it('should allow to find using like', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {title: {like: 'M%st'}}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 1);
done();
});
});
});
it('should support like for no match', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {title: {like: 'M%XY'}}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
it('should allow to find using nlike', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {title: {nlike: 'M%st'}}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
it('should support nlike for no match', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {title: {nlike: 'M%XY'}}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 1);
done();
});
});
});
it('should support "and" operator that is satisfied', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {and: [
{title: 'My Post'},
{content: 'Hello'}
]}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 1);
done();
});
});
});
it('should support "and" operator that is not satisfied', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {and: [
{title: 'My Post'},
{content: 'Hello1'}
]}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
it('should support "or" that is satisfied', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {or: [
{title: 'My Post'},
{content: 'Hello1'}
]}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 1);
done();
});
});
});
it('should support "or" operator that is not satisfied', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.find({where: {or: [
{title: 'My Post1'},
{content: 'Hello1'}
]}}, function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
// The where object should be parsed by the connector
it('should support where for count', function (done) {
Post.create({title: 'My Post', content: 'Hello'}, function (err, post) {
Post.count({and: [
{title: 'My Post'},
{content: 'Hello'}
]}, function (err, count) {
should.not.exist(err);
count.should.be.equal(1);
Post.count({and: [
{title: 'My Post1'},
{content: 'Hello'}
]}, function (err, count) {
should.not.exist(err);
count.should.be.equal(0);
done();
});
});
});
});
// The where object should be parsed by the connector
it('should support where for destroyAll', function (done) {
Post.create({title: 'My Post1', content: 'Hello'}, function (err, post) {
Post.create({title: 'My Post2', content: 'Hello'}, function (err, post) {
Post.destroyAll({and: [
{title: 'My Post1'},
{content: 'Hello'}
]}, function (err) {
should.not.exist(err);
Post.count(function (err, count) {
should.not.exist(err);
count.should.be.equal(1);
done();
});
});
});
});
});
it('should not allow SQL injection for inq operator', function (done) {
Post.create({title: 'My Post1', content: 'Hello', stars: 5},
function (err, post) {
Post.create({title: 'My Post2', content: 'Hello', stars: 20},
function (err, post) {
Post.find({where: {title: {inq: 'SELECT title from PostWithDefaultId'}}},
function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
});
it('should not allow SQL injection for lt operator', function (done) {
Post.create({title: 'My Post1', content: 'Hello', stars: 5},
function (err, post) {
Post.create({title: 'My Post2', content: 'Hello', stars: 20},
function (err, post) {
Post.find({where: {stars: {lt: 'SELECT title from PostWithDefaultId'}}},
function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
});
it('should not allow SQL injection for nin operator', function (done) {
Post.create({title: 'My Post1', content: 'Hello', stars: 5},
function (err, post) {
Post.create({title: 'My Post2', content: 'Hello', stars: 20},
function (err, post) {
Post.find({where: {title: {nin: 'SELECT title from PostWithDefaultId'}}},
function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 2);
done();
});
});
});
});
it('should not allow SQL injection for inq operator with number column', function (done) {
Post.create({title: 'My Post1', content: 'Hello', stars: 5},
function (err, post) {
Post.create({title: 'My Post2', content: 'Hello', stars: 20},
function (err, post) {
Post.find({where: {stars: {inq: 'SELECT title from PostWithDefaultId'}}},
function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
});
it('should not allow SQL injection for inq operator with array value', function (done) {
Post.create({title: 'My Post1', content: 'Hello', stars: 5},
function (err, post) {
Post.create({title: 'My Post2', content: 'Hello', stars: 20},
function (err, post) {
Post.find({where: {stars: {inq: [5, 'SELECT title from PostWithDefaultId']}}},
function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 1);
done();
});
});
});
});
it('should not allow SQL injection for between operator', function (done) {
Post.create({title: 'My Post1', content: 'Hello', stars: 5},
function (err, post) {
Post.create({title: 'My Post2', content: 'Hello', stars: 20},
function (err, post) {
Post.find({where: {stars: {between: [5, 'SELECT title from PostWithDefaultId']}}},
function (err, posts) {
should.not.exist(err);
posts.should.have.property('length', 0);
done();
});
});
});
});
after(function (done) {
Post.destroyAll(function () {
PostWithStringId.destroyAll(done);
});
});
});