Objection.js: where子句加完后能不能全部用括号括起来?
Objection.js: Can all where clauses be enclosed in parentheses after they have been added?
代码示例
// Creates an Objection query.
// I have no control over the creation of the query. I can only modify the query after it has been created.
// Example: "select `todos`.* from `todos` where `text` = ?"
const objectionQuery = thirdPartyService.createQuery(userControlledInput);
// Adds an access check. Example "select `todos`.* from `todos` where `text` = ? and `userId` = ?"
objectionQuery.andWhere("userId", currentUser.id);
以上示例存在安全漏洞。如果 thirdPartyService 生成这样的查询:
select `todos`.* from `todos` where `text` = ? or `id` = ?
然后在添加访问检查后我们将得到以下查询:
select `todos`.* from `todos` where `text` = ? or `id` = ? and `userId` = ?
并且此查询可以 return 不属于当前用户的数据。
要修复此错误,我们需要将用户控制的条件括在括号中:
select `todos`.* from `todos` where (`text` = ? or `id` = ?) and `userId` = ?
但是我如何使用异议查询构建器来做到这一点?我想像这样:
const objectionQuery = thirdPartyService.createQuery(userControlledInput);
wrapWhereClauses(objectionQuery);
objectionQuery.andWhere("userId", currentUser.id);
来自 docs:您可以通过将函数传递给任何 where* 方法来为查询添加括号:
await Todo.query()
.where('userId', 1)
.where(builder => {
builder.where('text', 2).orWhere('id', 3);
});
将导致
select * from "todos" where "userId" = 1 and ("text" = 2 or "id" = 3)
一种方法是将原始查询包装为子查询/临时查询table:
MyModel.query().from(thirdPartyService.createQuery(userControlledInput)).where(...)
(请告诉我这是否有效,我还没有测试过)
// Creates an Objection query.
// I have no control over the creation of the query. I can only modify the query after it has been created.
// Example: "select `todos`.* from `todos` where `text` = ?"
const objectionQuery = thirdPartyService.createQuery(userControlledInput);
// Adds an access check. Example "select `todos`.* from `todos` where `text` = ? and `userId` = ?"
objectionQuery.andWhere("userId", currentUser.id);
以上示例存在安全漏洞。如果 thirdPartyService 生成这样的查询:
select `todos`.* from `todos` where `text` = ? or `id` = ?
然后在添加访问检查后我们将得到以下查询:
select `todos`.* from `todos` where `text` = ? or `id` = ? and `userId` = ?
并且此查询可以 return 不属于当前用户的数据。 要修复此错误,我们需要将用户控制的条件括在括号中:
select `todos`.* from `todos` where (`text` = ? or `id` = ?) and `userId` = ?
但是我如何使用异议查询构建器来做到这一点?我想像这样:
const objectionQuery = thirdPartyService.createQuery(userControlledInput);
wrapWhereClauses(objectionQuery);
objectionQuery.andWhere("userId", currentUser.id);
来自 docs:您可以通过将函数传递给任何 where* 方法来为查询添加括号:
await Todo.query()
.where('userId', 1)
.where(builder => {
builder.where('text', 2).orWhere('id', 3);
});
将导致
select * from "todos" where "userId" = 1 and ("text" = 2 or "id" = 3)
一种方法是将原始查询包装为子查询/临时查询table:
MyModel.query().from(thirdPartyService.createQuery(userControlledInput)).where(...)
(请告诉我这是否有效,我还没有测试过)