From 661329b9774842dcad6a3b5a731f2c3805ed1881 Mon Sep 17 00:00:00 2001 From: fogelito Date: Thu, 9 May 2024 19:54:28 +0300 Subject: [PATCH 1/7] Invalid cursor value --- app/controllers/api/databases.php | 6 +++++ composer.lock | 22 +++++++++---------- .../e2e/Services/Databases/DatabasesBase.php | 15 +++++++++++++ 3 files changed, 32 insertions(+), 11 deletions(-) diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index c8903538d0..48f2b40acd 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -36,6 +36,7 @@ use Utopia\Database\Validator\Index as IndexValidator; use Utopia\Database\Validator\Key; use Utopia\Database\Validator\Permissions; use Utopia\Database\Validator\Queries; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\Query\Limit; use Utopia\Database\Validator\Query\Offset; use Utopia\Database\Validator\Structure; @@ -3006,6 +3007,11 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents') $cursor = \reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $documentId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId)); diff --git a/composer.lock b/composer.lock index 76f51b75c5..34e6031fdc 100644 --- a/composer.lock +++ b/composer.lock @@ -822,16 +822,16 @@ }, { "name": "paragonie/constant_time_encoding", - "version": "v2.6.3", + "version": "v2.7.0", "source": { "type": "git", "url": "https://github.com/paragonie/constant_time_encoding.git", - "reference": "58c3f47f650c94ec05a151692652a868995d2938" + "reference": "52a0d99e69f56b9ec27ace92ba56897fe6993105" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/58c3f47f650c94ec05a151692652a868995d2938", - "reference": "58c3f47f650c94ec05a151692652a868995d2938", + "url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/52a0d99e69f56b9ec27ace92ba56897fe6993105", + "reference": "52a0d99e69f56b9ec27ace92ba56897fe6993105", "shasum": "" }, "require": { @@ -885,7 +885,7 @@ "issues": "https://github.com/paragonie/constant_time_encoding/issues", "source": "https://github.com/paragonie/constant_time_encoding" }, - "time": "2022-06-14T06:56:20+00:00" + "time": "2024-05-08T12:18:48+00:00" }, { "name": "phpmailer/phpmailer", @@ -3660,16 +3660,16 @@ }, { "name": "phpstan/phpdoc-parser", - "version": "1.28.0", + "version": "1.29.0", "source": { "type": "git", "url": "https://github.com/phpstan/phpdoc-parser.git", - "reference": "cd06d6b1a1b3c75b0b83f97577869fd85a3cd4fb" + "reference": "536889f2b340489d328f5ffb7b02bb6b183ddedc" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/cd06d6b1a1b3c75b0b83f97577869fd85a3cd4fb", - "reference": "cd06d6b1a1b3c75b0b83f97577869fd85a3cd4fb", + "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/536889f2b340489d328f5ffb7b02bb6b183ddedc", + "reference": "536889f2b340489d328f5ffb7b02bb6b183ddedc", "shasum": "" }, "require": { @@ -3701,9 +3701,9 @@ "description": "PHPDoc parser with support for nullable, intersection and generic types", "support": { "issues": "https://github.com/phpstan/phpdoc-parser/issues", - "source": "https://github.com/phpstan/phpdoc-parser/tree/1.28.0" + "source": "https://github.com/phpstan/phpdoc-parser/tree/1.29.0" }, - "time": "2024-04-03T18:51:33+00:00" + "time": "2024-05-06T12:04:23+00:00" }, { "name": "phpunit/php-code-coverage", diff --git a/tests/e2e/Services/Databases/DatabasesBase.php b/tests/e2e/Services/Databases/DatabasesBase.php index 6f65552f1c..0aac8045a7 100644 --- a/tests/e2e/Services/Databases/DatabasesBase.php +++ b/tests/e2e/Services/Databases/DatabasesBase.php @@ -1743,6 +1743,21 @@ trait DatabasesBase $this->assertEquals(400, $documents['headers']['status-code']); + /** + * Test null value for cursor + */ + + $documents = $this->client->call(Client::METHOD_GET, '/databases/' . $databaseId . '/collections/' . $data['moviesId'] . '/documents', array_merge([ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], $this->getHeaders()), [ + 'queries' => [ + '{"method":"cursorAfter","values":[null]}', + ], + ]); + + $this->assertEquals(400, $documents['headers']['status-code']); + return []; } From 8bf1d4924b596dedeadcd3fd0d56b08072a1bfb0 Mon Sep 17 00:00:00 2001 From: fogelito Date: Wed, 15 May 2024 10:36:18 +0300 Subject: [PATCH 2/7] Use original delete throw --- composer.json | 2 +- composer.lock | 28 +++++++++++++++++++--------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/composer.json b/composer.json index 8865a32d91..26032698ec 100644 --- a/composer.json +++ b/composer.json @@ -50,7 +50,7 @@ "utopia-php/cache": "0.9.*", "utopia-php/cli": "0.15.*", "utopia-php/config": "0.2.*", - "utopia-php/database": "0.49.*", + "utopia-php/database": "dev-main as 0.49.9", "utopia-php/domains": "0.5.*", "utopia-php/dsn": "0.2.1", "utopia-php/framework": "0.33.*", diff --git a/composer.lock b/composer.lock index 34e6031fdc..d31d08315e 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "6ce62f5b54254e5023c5ace349a0ced7", + "content-hash": "26d20d884c55e5bcbc24ae42e5040d02", "packages": [ { "name": "adhocore/jwt", @@ -1556,16 +1556,16 @@ }, { "name": "utopia-php/database", - "version": "0.49.8", + "version": "dev-main", "source": { "type": "git", "url": "https://github.com/utopia-php/database.git", - "reference": "4fb1f6d216f6f628dd5b013e1f539ae2191228b1" + "reference": "ee93c14b99820f791c669648854f094fe399a085" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/utopia-php/database/zipball/4fb1f6d216f6f628dd5b013e1f539ae2191228b1", - "reference": "4fb1f6d216f6f628dd5b013e1f539ae2191228b1", + "url": "https://api.github.com/repos/utopia-php/database/zipball/ee93c14b99820f791c669648854f094fe399a085", + "reference": "ee93c14b99820f791c669648854f094fe399a085", "shasum": "" }, "require": { @@ -1586,6 +1586,7 @@ "swoole/ide-helper": "4.8.0", "utopia-php/cli": "^0.14.0" }, + "default-branch": true, "type": "library", "autoload": { "psr-4": { @@ -1606,9 +1607,9 @@ ], "support": { "issues": "https://github.com/utopia-php/database/issues", - "source": "https://github.com/utopia-php/database/tree/0.49.8" + "source": "https://github.com/utopia-php/database/tree/0.49.9" }, - "time": "2024-05-09T04:43:05+00:00" + "time": "2024-05-12T23:58:34+00:00" }, { "name": "utopia-php/domains", @@ -5503,9 +5504,18 @@ "time": "2023-11-21T18:54:41+00:00" } ], - "aliases": [], + "aliases": [ + { + "package": "utopia-php/database", + "version": "dev-main", + "alias": "0.49.9", + "alias_normalized": "0.49.9.0" + } + ], "minimum-stability": "stable", - "stability-flags": [], + "stability-flags": { + "utopia-php/database": 20 + }, "prefer-stable": false, "prefer-lowest": false, "platform": { From 6a4581671f79def9096c9dd7cfa767a1321f57f8 Mon Sep 17 00:00:00 2001 From: fogelito Date: Wed, 15 May 2024 10:52:45 +0300 Subject: [PATCH 3/7] Use original delete throw --- composer.json | 2 +- composer.lock | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/composer.json b/composer.json index 26032698ec..412490ece6 100644 --- a/composer.json +++ b/composer.json @@ -50,7 +50,7 @@ "utopia-php/cache": "0.9.*", "utopia-php/cli": "0.15.*", "utopia-php/config": "0.2.*", - "utopia-php/database": "dev-main as 0.49.9", + "utopia-php/database": "dev-original-exception as 0.49.9", "utopia-php/domains": "0.5.*", "utopia-php/dsn": "0.2.1", "utopia-php/framework": "0.33.*", diff --git a/composer.lock b/composer.lock index d31d08315e..d5f431bb26 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "26d20d884c55e5bcbc24ae42e5040d02", + "content-hash": "3ecdbc85939cda3b739dcc76c356f3b4", "packages": [ { "name": "adhocore/jwt", @@ -1556,16 +1556,16 @@ }, { "name": "utopia-php/database", - "version": "dev-main", + "version": "dev-original-exception", "source": { "type": "git", "url": "https://github.com/utopia-php/database.git", - "reference": "ee93c14b99820f791c669648854f094fe399a085" + "reference": "1a85827705a420b0dbc6c15845c33ba039cde900" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/utopia-php/database/zipball/ee93c14b99820f791c669648854f094fe399a085", - "reference": "ee93c14b99820f791c669648854f094fe399a085", + "url": "https://api.github.com/repos/utopia-php/database/zipball/1a85827705a420b0dbc6c15845c33ba039cde900", + "reference": "1a85827705a420b0dbc6c15845c33ba039cde900", "shasum": "" }, "require": { @@ -1586,7 +1586,6 @@ "swoole/ide-helper": "4.8.0", "utopia-php/cli": "^0.14.0" }, - "default-branch": true, "type": "library", "autoload": { "psr-4": { @@ -1607,9 +1606,9 @@ ], "support": { "issues": "https://github.com/utopia-php/database/issues", - "source": "https://github.com/utopia-php/database/tree/0.49.9" + "source": "https://github.com/utopia-php/database/tree/original-exception" }, - "time": "2024-05-12T23:58:34+00:00" + "time": "2024-05-15T07:29:54+00:00" }, { "name": "utopia-php/domains", @@ -5507,7 +5506,7 @@ "aliases": [ { "package": "utopia-php/database", - "version": "dev-main", + "version": "dev-original-exception", "alias": "0.49.9", "alias_normalized": "0.49.9.0" } From 1a5ae40e15695446bf2c630259693dec437936cb Mon Sep 17 00:00:00 2001 From: fogelito Date: Wed, 15 May 2024 10:56:02 +0300 Subject: [PATCH 4/7] revert --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 412490ece6..8865a32d91 100644 --- a/composer.json +++ b/composer.json @@ -50,7 +50,7 @@ "utopia-php/cache": "0.9.*", "utopia-php/cli": "0.15.*", "utopia-php/config": "0.2.*", - "utopia-php/database": "dev-original-exception as 0.49.9", + "utopia-php/database": "0.49.*", "utopia-php/domains": "0.5.*", "utopia-php/dsn": "0.2.1", "utopia-php/framework": "0.33.*", From a7f1cc128a4516d70f778fafbdb62c1bfeddd3a7 Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Thu, 17 Oct 2024 18:41:24 +1300 Subject: [PATCH 5/7] Validate cursor queries to avoid getDocument type error --- app/controllers/api/account.php | 7 +++++++ app/controllers/api/databases.php | 23 +++++++++++++++++++++++ app/controllers/api/functions.php | 19 +++++++++++++++++++ app/controllers/api/messaging.php | 26 ++++++++++++++++++++++++++ app/controllers/api/migrations.php | 7 +++++++ app/controllers/api/projects.php | 7 +++++++ app/controllers/api/proxy.php | 7 +++++++ app/controllers/api/storage.php | 13 +++++++++++++ app/controllers/api/teams.php | 14 ++++++++++++++ app/controllers/api/users.php | 18 ++++++++++++++++++ app/controllers/api/vcs.php | 7 +++++++ 11 files changed, 148 insertions(+) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 64441fee5c..cb71818df3 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -42,6 +42,7 @@ use Utopia\Database\Helpers\Role; use Utopia\Database\Query; use Utopia\Database\Validator\Authorization; use Utopia\Database\Validator\Queries; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\Query\Limit; use Utopia\Database\Validator\Query\Offset; use Utopia\Database\Validator\UID; @@ -4486,6 +4487,12 @@ App::get('/v1/account/identities') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $identityId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('identities', $identityId); diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index 2784d7f57b..a44d5dab6d 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -547,6 +547,13 @@ App::get('/v1/databases') }); $cursor = reset($cursor); if ($cursor) { + /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $databaseId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('databases', $databaseId); @@ -879,6 +886,12 @@ App::get('/v1/databases/:databaseId/collections') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $collectionId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('database_' . $database->getInternalId(), $collectionId); @@ -1789,6 +1802,11 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/attributes') $cursor = \reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $attributeId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->find('attributes', [ Query::equal('collectionInternalId', [$collection->getInternalId()]), @@ -2668,6 +2686,11 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/indexes') $cursor = reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $indexId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->find('indexes', [ Query::equal('collectionInternalId', [$collection->getInternalId()]), diff --git a/app/controllers/api/functions.php b/app/controllers/api/functions.php index f1e8d82a9b..c3051ef476 100644 --- a/app/controllers/api/functions.php +++ b/app/controllers/api/functions.php @@ -37,6 +37,7 @@ use Utopia\Database\Helpers\Role; use Utopia\Database\Query; use Utopia\Database\Validator\Authorization; use Utopia\Database\Validator\Datetime as DatetimeValidator; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\Roles; use Utopia\Database\Validator\UID; use Utopia\Storage\Device; @@ -431,6 +432,12 @@ App::get('/v1/functions') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $functionId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('functions', $functionId); @@ -1407,6 +1414,12 @@ App::get('/v1/functions/:functionId/deployments') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $deploymentId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('deployments', $deploymentId); @@ -2153,6 +2166,12 @@ App::get('/v1/functions/:functionId/executions') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $executionId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('executions', $executionId); diff --git a/app/controllers/api/messaging.php b/app/controllers/api/messaging.php index 7da0348a8f..c68ba91297 100644 --- a/app/controllers/api/messaging.php +++ b/app/controllers/api/messaging.php @@ -32,6 +32,7 @@ use Utopia\Database\Query; use Utopia\Database\Validator\Authorization; use Utopia\Database\Validator\Datetime as DatetimeValidator; use Utopia\Database\Validator\Queries; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\Query\Limit; use Utopia\Database\Validator\Query\Offset; use Utopia\Database\Validator\Roles; @@ -866,6 +867,11 @@ App::get('/v1/messaging/providers') $cursor = reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $providerId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->getDocument('providers', $providerId)); @@ -1998,6 +2004,11 @@ App::get('/v1/messaging/topics') $cursor = reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $topicId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->getDocument('topics', $topicId)); @@ -2352,6 +2363,11 @@ App::get('/v1/messaging/topics/:topicId/subscribers') $cursor = reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $subscriberId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->getDocument('subscribers', $subscriberId)); @@ -3048,6 +3064,11 @@ App::get('/v1/messaging/messages') $cursor = reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $messageId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->getDocument('messages', $messageId)); @@ -3202,6 +3223,11 @@ App::get('/v1/messaging/messages/:messageId/targets') $cursor = reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $targetId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('targets', $targetId); diff --git a/app/controllers/api/migrations.php b/app/controllers/api/migrations.php index bb89d4a26f..a4880cef86 100644 --- a/app/controllers/api/migrations.php +++ b/app/controllers/api/migrations.php @@ -16,6 +16,7 @@ use Utopia\Database\Document; use Utopia\Database\Exception\Query as QueryException; use Utopia\Database\Helpers\ID; use Utopia\Database\Query; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\UID; use Utopia\Migration\Sources\Appwrite; use Utopia\Migration\Sources\Firebase; @@ -409,6 +410,12 @@ App::get('/v1/migrations') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $migrationId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('migrations', $migrationId); diff --git a/app/controllers/api/projects.php b/app/controllers/api/projects.php index 934793410b..3bfa416bd8 100644 --- a/app/controllers/api/projects.php +++ b/app/controllers/api/projects.php @@ -31,6 +31,7 @@ use Utopia\Database\Helpers\Permission; use Utopia\Database\Helpers\Role; use Utopia\Database\Query; use Utopia\Database\Validator\Datetime as DatetimeValidator; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\UID; use Utopia\Domains\Validator\PublicDomain; use Utopia\DSN\DSN; @@ -279,6 +280,12 @@ App::get('/v1/projects') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $projectId = $cursor->getValue(); $cursorDocument = $dbForConsole->getDocument('projects', $projectId); diff --git a/app/controllers/api/proxy.php b/app/controllers/api/proxy.php index 84484a7209..984a9fb974 100644 --- a/app/controllers/api/proxy.php +++ b/app/controllers/api/proxy.php @@ -13,6 +13,7 @@ use Utopia\Database\Document; use Utopia\Database\Exception\Query as QueryException; use Utopia\Database\Helpers\ID; use Utopia\Database\Query; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\UID; use Utopia\Domains\Domain; use Utopia\Logger\Log; @@ -185,6 +186,12 @@ App::get('/v1/proxy/rules') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $ruleId = $cursor->getValue(); $cursorDocument = $dbForConsole->getDocument('rules', $ruleId); diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php index 4e30832a67..c3d57e5470 100644 --- a/app/controllers/api/storage.php +++ b/app/controllers/api/storage.php @@ -24,6 +24,7 @@ use Utopia\Database\Helpers\Role; use Utopia\Database\Query; use Utopia\Database\Validator\Authorization; use Utopia\Database\Validator\Permissions; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\UID; use Utopia\Image\Image; use Utopia\Storage\Compression\Algorithms\GZIP; @@ -178,6 +179,12 @@ App::get('/v1/storage/buckets') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $bucketId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('buckets', $bucketId); @@ -744,6 +751,12 @@ App::get('/v1/storage/buckets/:bucketId/files') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $fileId = $cursor->getValue(); if ($fileSecurity && !$valid) { diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php index 146b5d5f81..f9abaeeb44 100644 --- a/app/controllers/api/teams.php +++ b/app/controllers/api/teams.php @@ -34,6 +34,7 @@ use Utopia\Database\Query; use Utopia\Database\Validator\Authorization; use Utopia\Database\Validator\Key; use Utopia\Database\Validator\Queries; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\Query\Limit; use Utopia\Database\Validator\Query\Offset; use Utopia\Database\Validator\UID; @@ -170,6 +171,12 @@ App::get('/v1/teams') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $teamId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('teams', $teamId); @@ -751,6 +758,13 @@ App::get('/v1/teams/:teamId/memberships') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + + $membershipId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('memberships', $membershipId); diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php index 571df4fdb2..f0378ed0e3 100644 --- a/app/controllers/api/users.php +++ b/app/controllers/api/users.php @@ -36,6 +36,7 @@ use Utopia\Database\Helpers\Role; use Utopia\Database\Query; use Utopia\Database\Validator\Authorization; use Utopia\Database\Validator\Queries; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Database\Validator\Query\Limit; use Utopia\Database\Validator\Query\Offset; use Utopia\Database\Validator\UID; @@ -576,6 +577,12 @@ App::get('/v1/users') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $userId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('users', $userId); @@ -886,6 +893,11 @@ App::get('/v1/users/:userId/targets') $cursor = reset($cursor); if ($cursor) { + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $targetId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('targets', $targetId); @@ -938,6 +950,12 @@ App::get('/v1/users/identities') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $identityId = $cursor->getValue(); $cursorDocument = $dbForProject->getDocument('identities', $identityId); diff --git a/app/controllers/api/vcs.php b/app/controllers/api/vcs.php index f3381490ec..e79eb67936 100644 --- a/app/controllers/api/vcs.php +++ b/app/controllers/api/vcs.php @@ -20,6 +20,7 @@ use Utopia\Database\Helpers\Permission; use Utopia\Database\Helpers\Role; use Utopia\Database\Query; use Utopia\Database\Validator\Authorization; +use Utopia\Database\Validator\Query\Cursor; use Utopia\Detector\Adapter\Bun; use Utopia\Detector\Adapter\CPP; use Utopia\Detector\Adapter\Dart; @@ -1069,6 +1070,12 @@ App::get('/v1/vcs/installations') $cursor = reset($cursor); if ($cursor) { /** @var Query $cursor */ + + $validator = new Cursor(); + if (!$validator->isValid($cursor)) { + throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); + } + $installationId = $cursor->getValue(); $cursorDocument = $dbForConsole->getDocument('installations', $installationId); From ea2192a83cb1b890f2ad4e44bcf456e1833df812 Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Thu, 17 Oct 2024 18:51:26 +1300 Subject: [PATCH 6/7] Force CI --- app/controllers/api/databases.php | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index a44d5dab6d..454ab89de3 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -3123,6 +3123,7 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents') throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); } + $documentId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId)); From b32cb30737c749f47f64e7dadd68fc74be1cb887 Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Thu, 17 Oct 2024 18:51:41 +1300 Subject: [PATCH 7/7] Force CI --- app/controllers/api/databases.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php index 454ab89de3..473f09cb7c 100644 --- a/app/controllers/api/databases.php +++ b/app/controllers/api/databases.php @@ -3123,7 +3123,7 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents') throw new Exception(Exception::GENERAL_QUERY_INVALID, $validator->getDescription()); } - + $documentId = $cursor->getValue(); $cursorDocument = Authorization::skip(fn () => $dbForProject->getDocument('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $documentId));