mirror
/
wildebeest
kopia lustrzana https://github.com/cloudflare/wildebeest
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Merge pull request #337 from cloudflare/getObjectBy-allow-list 

improve typing and security of getObjectBy function
pull/255/head
Sven Sauleau 2023-02-23 17:02:08 +01:00 zatwierdzone przez GitHub
rodzic a815ccdf28 9f2eeb19dd
commit 586a333021
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 4AEE18F83AFDEB23
2 zmienionych plików z 21 dodań i 10 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

2
backend/src/activitypub/activities/handle.ts
Wyświetl plik

@ -116,7 +116,7 @@ export async function handle(
} }
// check current object // check current object
const object = await objects.getObjectBy(db, 'original_object_id', objectId.toString()) const object = await objects.getObjectBy(db, objects.ObjectByKey.originalObjectId, objectId.toString())
if (object === null) { if (object === null) {
throw new Error(`object ${objectId} does not exist`) throw new Error(`object ${objectId} does not exist`)
} }

29
backend/src/activitypub/objects/index.ts
Wyświetl plik

@ -95,7 +95,7 @@ export async function cacheObject(
): Promise<CacheObjectRes> { ): Promise<CacheObjectRes> {
const sanitizedProperties = await sanitizeObjectProperties(properties) const sanitizedProperties = await sanitizeObjectProperties(properties)
const cachedObject = await getObjectBy(db, 'original_object_id', originalObjectId.toString()) const cachedObject = await getObjectBy(db, ObjectByKey.originalObjectId, originalObjectId.toString())
if (cachedObject !== null) { if (cachedObject !== null) {
return { return {
created: false, created: false,
@ -168,23 +168,34 @@ export async function updateObjectProperty(db: Database, obj: APObject, key: str
} }
export async function getObjectById(db: Database, id: string | URL): Promise<APObject | null> { export async function getObjectById(db: Database, id: string | URL): Promise<APObject | null> {
return getObjectBy(db, 'id', id.toString()) return getObjectBy(db, ObjectByKey.id, id.toString())
} }
export async function getObjectByOriginalId(db: Database, id: string | URL): Promise<APObject | null> { export async function getObjectByOriginalId(db: Database, id: string | URL): Promise<APObject | null> {
return getObjectBy(db, 'original_object_id', id.toString()) return getObjectBy(db, ObjectByKey.originalObjectId, id.toString())
} }
export async function getObjectByMastodonId(db: Database, id: UUID): Promise<APObject | null> { export async function getObjectByMastodonId(db: Database, id: UUID): Promise<APObject | null> {
return getObjectBy(db, 'mastodon_id', id) return getObjectBy(db, ObjectByKey.mastodonId, id)
} }
export async function getObjectBy(db: Database, key: string, value: string) { export enum ObjectByKey {
id = 'id',
originalObjectId = 'original_object_id',
mastodonId = 'mastodon_id',
}
const allowedObjectByKeysSet = new Set(Object.values(ObjectByKey))
export async function getObjectBy(db: Database, key: ObjectByKey, value: string) {
if (!allowedObjectByKeysSet.has(key)) {
throw new Error('getObjectBy run with invalid key: ' + key)
}
const query = ` const query = `
SELECT * SELECT *
FROM objects FROM objects
WHERE objects.${key}=? WHERE objects.${key}=?
` `
const { results, success, error } = await db.prepare(query).bind(value).all() const { results, success, error } = await db.prepare(query).bind(value).all()
if (!success) { if (!success) {
throw new Error('SQL error: ' + error) throw new Error('SQL error: ' + error)