strapi/packages/core/utils/lib/sanitize/index.js

'use strict';

const { isArray } = require('lodash/fp');

const traverseEntity = require('../traverse-entity');
const { getNonWritableAttributes } = require('../content-types');
const { pipeAsync } = require('../async');

const visitors = require('./visitors');
const sanitizers = require('./sanitizers');

module.exports = {
  contentAPI: {
    input(data, schema, { auth } = {}) {
      if (isArray(data)) {
        return Promise.all(data.map((entry) => this.input(entry, schema, { auth })));
      }

      const nonWritableAttributes = getNonWritableAttributes(schema);

      const transforms = [
        // Remove non writable attributes
        traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),
      ];

      if (auth) {
        // Remove restricted relations
        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
      }

      // Apply sanitizers from registry if exists
      strapi.sanitizers
        .get('content-api.input')
        .forEach((sanitizer) => transforms.push(sanitizer(schema)));

      return pipeAsync(...transforms)(data);
    },

    output(data, schema, { auth } = {}) {
      if (isArray(data)) {
        return Promise.all(data.map((entry) => this.output(entry, schema, { auth })));
      }

      const transforms = [sanitizers.defaultSanitizeOutput(schema)];

      if (auth) {
        transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));
      }

      // Apply sanitizers from registry if exists
      strapi.sanitizers
        .get('content-api.output')
        .forEach((sanitizer) => transforms.push(sanitizer(schema)));

      return pipeAsync(...transforms)(data);
    },
  },

  sanitizers,
  visitors,
};
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`'use strict';`

			`const { isArray } = require('lodash/fp');`

			`const traverseEntity = require('../traverse-entity');`
			`const { getNonWritableAttributes } = require('../content-types');`
feat(core-utils): add mapAsync and reduceAsync utils 2022-12-08 17:17:11 +01:00			`const { pipeAsync } = require('../async');`
Move pipeAsync to @strapi/utils 2021-11-04 16:43:27 +01:00
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`const visitors = require('./visitors');`
use 'sanitizers' instead of 'utils' 2021-11-10 17:08:54 +01:00			`const sanitizers = require('./sanitizers');`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00
			`module.exports = {`
			`contentAPI: {`
			`input(data, schema, { auth } = {}) {`
			`if (isArray(data)) {`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`return Promise.all(data.map((entry) => this.input(entry, schema, { auth })));`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`}`

			`const nonWritableAttributes = getNonWritableAttributes(schema);`

			`const transforms = [`
			`// Remove non writable attributes`
			`traverseEntity(visitors.restrictedFields(nonWritableAttributes), { schema }),`
			`];`

			`if (auth) {`
			`// Remove restricted relations`
			`transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));`
			`}`

Add sanitizers registry to container - Remove users-permissions sanitization step in core - Move sanitization functions to users-permissions plugin utils - Add sanitizers registry to container for manage sanitizer functions in core so that we can get/add sanitizers anywhere we want 2022-04-21 00:29:26 +09:00			`// Apply sanitizers from registry if exists`
Refactor sanitizers module to be maintained easily 2022-05-07 17:04:12 +09:00			`strapi.sanitizers`
			`.get('content-api.input')`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`.forEach((sanitizer) => transforms.push(sanitizer(schema)));`
Add sanitizers registry to container - Remove users-permissions sanitization step in core - Move sanitization functions to users-permissions plugin utils - Add sanitizers registry to container for manage sanitizer functions in core so that we can get/add sanitizers anywhere we want 2022-04-21 00:29:26 +09:00
Move pipeAsync to @strapi/utils 2021-11-04 16:43:27 +01:00			`return pipeAsync(...transforms)(data);`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`},`

			`output(data, schema, { auth } = {}) {`
			`if (isArray(data)) {`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`return Promise.all(data.map((entry) => this.output(entry, schema, { auth })));`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`}`

Add sanitizers registry to container - Remove users-permissions sanitization step in core - Move sanitization functions to users-permissions plugin utils - Add sanitizers registry to container for manage sanitizer functions in core so that we can get/add sanitizers anywhere we want 2022-04-21 00:29:26 +09:00			`const transforms = [sanitizers.defaultSanitizeOutput(schema)];`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00
			`if (auth) {`
			`transforms.push(traverseEntity(visitors.removeRestrictedRelations(auth), { schema }));`
			`}`

Add sanitizers registry to container - Remove users-permissions sanitization step in core - Move sanitization functions to users-permissions plugin utils - Add sanitizers registry to container for manage sanitizer functions in core so that we can get/add sanitizers anywhere we want 2022-04-21 00:29:26 +09:00			`// Apply sanitizers from registry if exists`
Refactor sanitizers module to be maintained easily 2022-05-07 17:04:12 +09:00			`strapi.sanitizers`
			`.get('content-api.output')`
Prettier and backend fix 2022-08-08 23:33:39 +02:00			`.forEach((sanitizer) => transforms.push(sanitizer(schema)));`
Add sanitizers registry to container - Remove users-permissions sanitization step in core - Move sanitization functions to users-permissions plugin utils - Add sanitizers registry to container for manage sanitizer functions in core so that we can get/add sanitizers anywhere we want 2022-04-21 00:29:26 +09:00
Move pipeAsync to @strapi/utils 2021-11-04 16:43:27 +01:00			`return pipeAsync(...transforms)(data);`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`},`
			`},`

use 'sanitizers' instead of 'utils' 2021-11-10 17:08:54 +01:00			`sanitizers,`
[V4] Enhanced sanitize & remove restricted relations from content API's payloads (#11411) * Rework sanitizeEntity, first iteration * remove console.log * Remove useless comments * Fix e2e tests * Fix up user e2e test * Fix remove-restricted-relations visitor * Handle grapqhql resolver, prevent access to restricted relations * Handle polymorphic relation in the related visitor * Remove morph attribute if empty * Use only the find action to check if the relation is allowed 2021-11-04 15:47:53 +01:00			`visitors,`
			`};`