Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

findOne ignore invalid parameter instead of throw an error #2690

Closed
janmisek1 opened this issue Aug 21, 2018 · 4 comments
Closed

findOne ignore invalid parameter instead of throw an error #2690

janmisek1 opened this issue Aug 21, 2018 · 4 comments
Labels
comp: manager and repository enhancement

Comments

@janmisek1
Copy link

Issue type:

[ ] question
[x] bug report
[ ] feature request
[ ] documentation issue

Database system/driver:

[ ] cordova
[ ] mongodb
[ ] mssql
[x ] mysql / mariadb
[ ] oracle
[ ] postgres
[ ] sqlite
[ ] sqljs
[ ] react-native
[ ] expo

TypeORM version:

[x] latest
[ ] @next
[ ] 0.x.x (or put your version here)

Steps to reproduce or a small repository showing the problem:

Hello, I have entity

export class FilesFolders {
    @PrimaryGeneratedColumn()
    public id: number

    @ManyToOne(type => Files, file => file.id)
    @JoinColumn() 
    file: Files

    @ManyToOne(type => Folders, folder => folder.id)
    @JoinColumn() 
    branch: Folders
}

Which alowed map files to folders. One file could be in many folders.

But I have done typing error "banch" instead "bRanch" when retrieving data:

filesFolder = await filesFoldersRepository.findOne({where: {file: args.id, banch: args.oldBranchId}, relations: ['file', 'branch'] }) as FilesFolders

but this found first result and ingnored invalid (typing error) parameter. I thing it shoul throw error like "Unknown column 'banchId' in 'where clause'! "
@nghenglim
Copy link

nghenglim commented Dec 12, 2018
edited

Same here on version 0.2.9, I believe it happen in all the find, quite a security issue

Update: the problem is inside the querybuilder, it uses findColumnsWithPropertyPath which ignore the column if not found, but seems to affect a lot of other place if want to fix

@nghenglim
Copy link

nghenglim commented Dec 12, 2018
edited

found in typeorm/src/metadata/EntityMetadata.ts master

/**
     * Finds columns with a given property path.
     * Property path can match a relation, and relations can contain multiple columns.
     */
    findColumnsWithPropertyPath(propertyPath: string): ColumnMetadata[] {
        const column = this.columns.find(column => column.propertyPath === propertyPath);
        if (column)
            return [column];

        // in the case if column with property path was not found, try to find a relation with such property path
        // if we find relation and it has a single join column then its the column user was seeking
        const relation = this.relations.find(relation => relation.propertyPath === propertyPath);
        if (relation && relation.joinColumns)
            return relation.joinColumns;

        return [];
    }

Since we are using typeorm I believe type safety and result correctness is what we care, return [] when not found seems dangerous.

@pleerock
Copy link
Member

pleerock commented Jan 4, 2019

I think we can throw an exception in the case if we find not exist column.

@silentroach silentroach mentioned this issue Jan 15, 2019
Closed
@vlapo
Copy link
Contributor

vlapo commented Jan 15, 2019

Closing in favor of #3416

@vlapo vlapo closed this as completed Jan 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
comp: manager and repository enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pleerock @vlapo @nghenglim @janmisek1