/
preventing-injection.ts
123 lines (98 loc) · 4.1 KB
/
preventing-injection.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
import "reflect-metadata";
import {closeTestingConnections, createTestingConnections, reloadTestingDatabases} from "../../utils/test-utils";
import {Connection} from "../../../src";
import {Post} from "./entity/Post";
import {expect} from "chai";
import {EntityColumnNotFound} from "../../../src/error/EntityColumnNotFound";
describe("other issues > preventing-injection", () => {
let connections: Connection[];
before(async () => connections = await createTestingConnections({
entities: [__dirname + "/entity/*{.js,.ts}"],
}));
beforeEach(() => reloadTestingDatabases(connections));
after(() => closeTestingConnections(connections));
it("should not allow selection of non-exist columns via FindOptions", () => Promise.all(connections.map(async function(connection) {
const post = new Post();
post.title = "hello";
await connection.manager.save(post);
const postWithOnlyIdSelected = await connection.manager.find(Post, {
select: ["id"]
});
postWithOnlyIdSelected.should.be.eql([{ id: 1 }]);
await connection.manager.find(Post, {
select: ["(WHERE LIMIT 1)" as any]
}).should.be.rejected;
})));
it("should throw error for non-exist columns in where expression via FindOptions", () => Promise.all(connections.map(async function(connection) {
const post = new Post();
post.title = "hello";
await connection.manager.save(post);
const postWithOnlyIdSelected = await connection.manager.find(Post, {
where: {
title: "hello"
}
});
postWithOnlyIdSelected.should.be.eql([{ id: 1, title: "hello" }]);
let error: Error | undefined;
try {
await connection.manager.find(Post, {
where: {
id: 2,
["(WHERE LIMIT 1)"]: "hello"
}
});
} catch (err) {
error = err;
}
expect(error).to.be.an.instanceof(EntityColumnNotFound);
})));
it("should not allow selection of non-exist columns via FindOptions", () => Promise.all(connections.map(async function(connection) {
const post = new Post();
post.title = "hello";
await connection.manager.save(post);
const loadedPosts = await connection.manager.find(Post, {
order: {
title: "DESC"
}
});
loadedPosts.should.be.eql([{ id: 1, title: "hello" }]);
await connection.manager.find(Post, {
order: {
["(WHERE LIMIT 1)" as any]: "DESC"
}
}).should.be.rejected;
})));
it("should not allow non-numeric values in skip and take via FindOptions", () => Promise.all(connections.map(async function(connection) {
await connection.manager.find(Post, {
take: "(WHERE XXX)" as any
}).should.be.rejected;
await connection.manager.find(Post, {
skip: "(WHERE LIMIT 1)" as any,
take: "(WHERE XXX)" as any,
}).should.be.rejected;
})));
it("should not allow non-numeric values in skip and take in QueryBuilder", () => Promise.all(connections.map(async function(connection) {
expect(() => {
connection.manager
.createQueryBuilder(Post, "post")
.take("(WHERE XXX)" as any);
}).to.throw(Error);
expect(() => {
connection.manager
.createQueryBuilder(Post, "post")
.skip("(WHERE LIMIT 1)" as any);
}).to.throw(Error);
})));
it("should not allow non-allowed values in order by in QueryBuilder", () => Promise.all(connections.map(async function(connection) {
expect(() => {
connection.manager
.createQueryBuilder(Post, "post")
.orderBy("post.id", "MIX" as any);
}).to.throw(Error);
expect(() => {
connection.manager
.createQueryBuilder(Post, "post")
.orderBy("post.id", "DESC", "SOMETHING LAST" as any);
}).to.throw(Error);
})));
});