strapi/packages/core/utils/lib/sanitize/sanitizers.js

'use strict';

const { curry, isEmpty, isNil, isArray, isObject } = require('lodash/fp');

const { pipeAsync } = require('../async');
const traverseEntity = require('../traverse-entity');
const { isScalarAttribute } = require('../content-types');

const {
  traverseQueryFilters,
  traverseQuerySort,
  traverseQueryPopulate,
  traverseQueryFields,
} = require('../traverse');

const {
  removePassword,
  removePrivate,
  removeDynamicZones,
  removeMorphToRelations,
} = require('./visitors');

const sanitizePasswords = curry((schema, entity) => {
  return traverseEntity(removePassword, { schema }, entity);
});

const sanitizePrivates = curry((schema, entity) => {
  return traverseEntity(removePrivate, { schema }, entity);
});

const defaultSanitizeOutput = curry((schema, entity) => {
  return pipeAsync(sanitizePrivates(schema), sanitizePasswords(schema))(entity);
});

const defaultSanitizeFilters = curry((schema, filters) => {
  return pipeAsync(
    // Remove dynamic zones from filters
    traverseQueryFilters(removeDynamicZones, { schema }),
    // Remove morpTo relations from filters
    traverseQueryFilters(removeMorphToRelations, { schema }),
    // Remove passwords from filters
    traverseQueryFilters(removePassword, { schema }),
    // Remove private from filters
    traverseQueryFilters(removePrivate, { schema }),
    // Remove empty objects
    traverseQueryFilters(
      ({ key, value }, { remove }) => {
        if (isObject(value) && isEmpty(value)) {
          remove(key);
        }
      },
      { schema }
    )
  )(filters);
});

const defaultSanitizeSort = curry((schema, sort) => {
  return pipeAsync(
    // Remove non attribute keys
    traverseQuerySort(
      ({ key, attribute }, { remove }) => {
        if (!attribute) {
          remove(key);
        }
      },
      { schema }
    ),
    // Remove dynamic zones from sort
    traverseQuerySort(removeDynamicZones, { schema }),
    // Remove morpTo relations from sort
    traverseQuerySort(removeMorphToRelations, { schema }),
    // Remove private from sort
    traverseQuerySort(removePrivate, { schema }),
    // Remove passwords from filters
    traverseQuerySort(removePassword, { schema }),
    // Remove keys for empty non-scalar values
    traverseQuerySort(
      ({ key, attribute, value }, { remove }) => {
        if (!isScalarAttribute(attribute) && isEmpty(value)) {
          remove(key);
        }
      },
      { schema }
    )
  )(sort);
});

const defaultSanitizeFields = curry((schema, fields) => {
  return pipeAsync(
    // Only keep scalar attributes
    traverseQueryFields(
      ({ key, attribute }, { remove }) => {
        if (isNil(attribute) || !isScalarAttribute(attribute)) {
          remove(key);
        }
      },
      { schema }
    ),
    // Remove private fields
    traverseQueryFields(removePrivate, { schema }),
    // Remove password fields
    traverseQueryFields(removePassword, { schema }),
    // Remove nil values from fields array
    (value) => (isArray(value) ? value.filter((field) => !isNil(field)) : value)
  )(fields);
});

const defaultSanitizePopulate = curry((schema, populate) => {
  return pipeAsync(
    traverseQueryPopulate(
      async ({ key, value, schema, attribute }, { set }) => {
        if (attribute) {
          return;
        }

        if (key === 'sort') {
          set(key, await defaultSanitizeSort(schema, value));
        }

        if (key === 'filters') {
          set(key, await defaultSanitizeFilters(schema, value));
        }

        if (key === 'fields') {
          set(key, await defaultSanitizeFields(schema, value));
        }
      },
      { schema }
    ),
    // Remove private fields
    traverseQueryPopulate(removePrivate, { schema })
  )(populate);
});

module.exports = {
  sanitizePasswords,
  sanitizePrivates,
  defaultSanitizeOutput,
  defaultSanitizeFilters,
  defaultSanitizeSort,
  defaultSanitizeFields,
  defaultSanitizePopulate,
};
Simplify & abstract common sanitize logic 2021-11-08 15:52:42 +01:00			`'use strict';`

add traverse query fix single type fix query sanitize pagination count params add comments Cleanup the params/filters sanitize helpers sanitize association resolver Sanitize sort fix graphql single type fix graphql types fix addFindQuery Sanitize fields Update sanitize sort to handle all the different formats Update fields sanitize to handle regular strings & wildcard Fix non scalar recursion Add a traverse factory Add visitor to remove dz & morph relations Replace the old traverse utils (sort, filters) by one created using the traverse factory add sanitize populate await args fix async and duplicate sanitization sanitize u&p params Add traverse fields Fix traverse & sanitize fields add traverse fields to nested populate sanitize admin api filter queries Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> sanitize sort params in admin API todo make token fields unsearchable with _q sanitize delete mutation Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> fix errors on queries without ctx rename findParams to sanitizedParams Sanitize queries everywhere in the content manager admin controllers sanitize single type update and delete Ignore non attribute keys in the sanitize sort Fix the sanitize query sort for nested string sort Fix permission check for the admin typo sanitize upload sanitize admin media library sanitize admin users Add missing await Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> set U&P users fields to searchable:false add token support to createContentAPIRequest add searchable:false to getstarted U&P schema remove comment sanitize component resolver remove await add searchable false to the file's folder path Fix admin query when the permission query is set to null add basic tests for filtering private params add tests for fields add pagination tests Fix admin user fields not being sanitized Fix convert query params for the morph fragment on undefined value Traverse dynamic zone on nested populate Handle nested sort, filters & fields in populate queries + handle populate fragment for morphTo relations Sanitize 'on' subpopulate Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> don't throw error on invalid attributes check models for snake case column name instead of assuming they are operators Add first batch of api tests for params sanitize Fix sort traversal: handle object arrays Put back removePassword for fields,sort,filters Add schemas and fixtures for sanitize api tests Add tests for relations (sanitize api tests) Move constant to domain scope Rename sanitize params to sanitize query Fix typo Cleanup fixtures file Fix variable name conflict Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Alexandre BODIN <alexandrebodin@users.noreply.github.com> Update comment for array filters Rename sanitize test Test implicit & explicit array operator for filter Remove unused code 2023-02-09 11:35:50 +01:00			`const { curry, isEmpty, isNil, isArray, isObject } = require('lodash/fp');`
Simplify & abstract common sanitize logic 2021-11-08 15:52:42 +01:00
feat(core-utils): add mapAsync and reduceAsync utils 2022-12-08 17:17:11 +01:00			`const { pipeAsync } = require('../async');`
Simplify & abstract common sanitize logic 2021-11-08 15:52:42 +01:00			`const traverseEntity = require('../traverse-entity');`
add traverse query fix single type fix query sanitize pagination count params add comments Cleanup the params/filters sanitize helpers sanitize association resolver Sanitize sort fix graphql single type fix graphql types fix addFindQuery Sanitize fields Update sanitize sort to handle all the different formats Update fields sanitize to handle regular strings & wildcard Fix non scalar recursion Add a traverse factory Add visitor to remove dz & morph relations Replace the old traverse utils (sort, filters) by one created using the traverse factory add sanitize populate await args fix async and duplicate sanitization sanitize u&p params Add traverse fields Fix traverse & sanitize fields add traverse fields to nested populate sanitize admin api filter queries Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> sanitize sort params in admin API todo make token fields unsearchable with _q sanitize delete mutation Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> fix errors on queries without ctx rename findParams to sanitizedParams Sanitize queries everywhere in the content manager admin controllers sanitize single type update and delete Ignore non attribute keys in the sanitize sort Fix the sanitize query sort for nested string sort Fix permission check for the admin typo sanitize upload sanitize admin media library sanitize admin users Add missing await Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> set U&P users fields to searchable:false add token support to createContentAPIRequest add searchable:false to getstarted U&P schema remove comment sanitize component resolver remove await add searchable false to the file's folder path Fix admin query when the permission query is set to null add basic tests for filtering private params add tests for fields add pagination tests Fix admin user fields not being sanitized Fix convert query params for the morph fragment on undefined value Traverse dynamic zone on nested populate Handle nested sort, filters & fields in populate queries + handle populate fragment for morphTo relations Sanitize 'on' subpopulate Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> don't throw error on invalid attributes check models for snake case column name instead of assuming they are operators Add first batch of api tests for params sanitize Fix sort traversal: handle object arrays Put back removePassword for fields,sort,filters Add schemas and fixtures for sanitize api tests Add tests for relations (sanitize api tests) Move constant to domain scope Rename sanitize params to sanitize query Fix typo Cleanup fixtures file Fix variable name conflict Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Alexandre BODIN <alexandrebodin@users.noreply.github.com> Update comment for array filters Rename sanitize test Test implicit & explicit array operator for filter Remove unused code 2023-02-09 11:35:50 +01:00			`const { isScalarAttribute } = require('../content-types');`
Simplify & abstract common sanitize logic 2021-11-08 15:52:42 +01:00
add traverse query fix single type fix query sanitize pagination count params add comments Cleanup the params/filters sanitize helpers sanitize association resolver Sanitize sort fix graphql single type fix graphql types fix addFindQuery Sanitize fields Update sanitize sort to handle all the different formats Update fields sanitize to handle regular strings & wildcard Fix non scalar recursion Add a traverse factory Add visitor to remove dz & morph relations Replace the old traverse utils (sort, filters) by one created using the traverse factory add sanitize populate await args fix async and duplicate sanitization sanitize u&p params Add traverse fields Fix traverse & sanitize fields add traverse fields to nested populate sanitize admin api filter queries Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> sanitize sort params in admin API todo make token fields unsearchable with _q sanitize delete mutation Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> fix errors on queries without ctx rename findParams to sanitizedParams Sanitize queries everywhere in the content manager admin controllers sanitize single type update and delete Ignore non attribute keys in the sanitize sort Fix the sanitize query sort for nested string sort Fix permission check for the admin typo sanitize upload sanitize admin media library sanitize admin users Add missing await Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> set U&P users fields to searchable:false add token support to createContentAPIRequest add searchable:false to getstarted U&P schema remove comment sanitize component resolver remove await add searchable false to the file's folder path Fix admin query when the permission query is set to null add basic tests for filtering private params add tests for fields add pagination tests Fix admin user fields not being sanitized Fix convert query params for the morph fragment on undefined value Traverse dynamic zone on nested populate Handle nested sort, filters & fields in populate queries + handle populate fragment for morphTo relations Sanitize 'on' subpopulate Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> don't throw error on invalid attributes check models for snake case column name instead of assuming they are operators Add first batch of api tests for params sanitize Fix sort traversal: handle object arrays Put back removePassword for fields,sort,filters Add schemas and fixtures for sanitize api tests Add tests for relations (sanitize api tests) Move constant to domain scope Rename sanitize params to sanitize query Fix typo Cleanup fixtures file Fix variable name conflict Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Alexandre BODIN <alexandrebodin@users.noreply.github.com> Update comment for array filters Rename sanitize test Test implicit & explicit array operator for filter Remove unused code 2023-02-09 11:35:50 +01:00			`const {`
			`traverseQueryFilters,`
			`traverseQuerySort,`
			`traverseQueryPopulate,`
			`traverseQueryFields,`
			`} = require('../traverse');`

			`const {`
			`removePassword,`
			`removePrivate,`
			`removeDynamicZones,`
			`removeMorphToRelations,`
			`} = require('./visitors');`
Simplify & abstract common sanitize logic 2021-11-08 15:52:42 +01:00
			`const sanitizePasswords = curry((schema, entity) => {`
			`return traverseEntity(removePassword, { schema }, entity);`
			`});`

			`const sanitizePrivates = curry((schema, entity) => {`
			`return traverseEntity(removePrivate, { schema }, entity);`
			`});`

			`const defaultSanitizeOutput = curry((schema, entity) => {`
			`return pipeAsync(sanitizePrivates(schema), sanitizePasswords(schema))(entity);`
			`});`

add traverse query fix single type fix query sanitize pagination count params add comments Cleanup the params/filters sanitize helpers sanitize association resolver Sanitize sort fix graphql single type fix graphql types fix addFindQuery Sanitize fields Update sanitize sort to handle all the different formats Update fields sanitize to handle regular strings & wildcard Fix non scalar recursion Add a traverse factory Add visitor to remove dz & morph relations Replace the old traverse utils (sort, filters) by one created using the traverse factory add sanitize populate await args fix async and duplicate sanitization sanitize u&p params Add traverse fields Fix traverse & sanitize fields add traverse fields to nested populate sanitize admin api filter queries Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> sanitize sort params in admin API todo make token fields unsearchable with _q sanitize delete mutation Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> fix errors on queries without ctx rename findParams to sanitizedParams Sanitize queries everywhere in the content manager admin controllers sanitize single type update and delete Ignore non attribute keys in the sanitize sort Fix the sanitize query sort for nested string sort Fix permission check for the admin typo sanitize upload sanitize admin media library sanitize admin users Add missing await Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> set U&P users fields to searchable:false add token support to createContentAPIRequest add searchable:false to getstarted U&P schema remove comment sanitize component resolver remove await add searchable false to the file's folder path Fix admin query when the permission query is set to null add basic tests for filtering private params add tests for fields add pagination tests Fix admin user fields not being sanitized Fix convert query params for the morph fragment on undefined value Traverse dynamic zone on nested populate Handle nested sort, filters & fields in populate queries + handle populate fragment for morphTo relations Sanitize 'on' subpopulate Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> don't throw error on invalid attributes check models for snake case column name instead of assuming they are operators Add first batch of api tests for params sanitize Fix sort traversal: handle object arrays Put back removePassword for fields,sort,filters Add schemas and fixtures for sanitize api tests Add tests for relations (sanitize api tests) Move constant to domain scope Rename sanitize params to sanitize query Fix typo Cleanup fixtures file Fix variable name conflict Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Alexandre BODIN <alexandrebodin@users.noreply.github.com> Update comment for array filters Rename sanitize test Test implicit & explicit array operator for filter Remove unused code 2023-02-09 11:35:50 +01:00			`const defaultSanitizeFilters = curry((schema, filters) => {`
			`return pipeAsync(`
			`// Remove dynamic zones from filters`
			`traverseQueryFilters(removeDynamicZones, { schema }),`
			`// Remove morpTo relations from filters`
			`traverseQueryFilters(removeMorphToRelations, { schema }),`
			`// Remove passwords from filters`
			`traverseQueryFilters(removePassword, { schema }),`
			`// Remove private from filters`
			`traverseQueryFilters(removePrivate, { schema }),`
			`// Remove empty objects`
			`traverseQueryFilters(`
			`({ key, value }, { remove }) => {`
			`if (isObject(value) && isEmpty(value)) {`
			`remove(key);`
			`}`
			`},`
			`{ schema }`
			`)`
			`)(filters);`
			`});`

			`const defaultSanitizeSort = curry((schema, sort) => {`
			`return pipeAsync(`
			`// Remove non attribute keys`
			`traverseQuerySort(`
			`({ key, attribute }, { remove }) => {`
			`if (!attribute) {`
			`remove(key);`
			`}`
			`},`
			`{ schema }`
			`),`
			`// Remove dynamic zones from sort`
			`traverseQuerySort(removeDynamicZones, { schema }),`
			`// Remove morpTo relations from sort`
			`traverseQuerySort(removeMorphToRelations, { schema }),`
			`// Remove private from sort`
			`traverseQuerySort(removePrivate, { schema }),`
			`// Remove passwords from filters`
			`traverseQuerySort(removePassword, { schema }),`
			`// Remove keys for empty non-scalar values`
			`traverseQuerySort(`
			`({ key, attribute, value }, { remove }) => {`
			`if (!isScalarAttribute(attribute) && isEmpty(value)) {`
			`remove(key);`
			`}`
			`},`
			`{ schema }`
			`)`
			`)(sort);`
			`});`

			`const defaultSanitizeFields = curry((schema, fields) => {`
			`return pipeAsync(`
			`// Only keep scalar attributes`
			`traverseQueryFields(`
			`({ key, attribute }, { remove }) => {`
			`if (isNil(attribute) \|\| !isScalarAttribute(attribute)) {`
			`remove(key);`
			`}`
			`},`
			`{ schema }`
			`),`
			`// Remove private fields`
			`traverseQueryFields(removePrivate, { schema }),`
			`// Remove password fields`
			`traverseQueryFields(removePassword, { schema }),`
			`// Remove nil values from fields array`
			`(value) => (isArray(value) ? value.filter((field) => !isNil(field)) : value)`
			`)(fields);`
			`});`

			`const defaultSanitizePopulate = curry((schema, populate) => {`
			`return pipeAsync(`
			`traverseQueryPopulate(`
			`async ({ key, value, schema, attribute }, { set }) => {`
			`if (attribute) {`
			`return;`
			`}`

			`if (key === 'sort') {`
			`set(key, await defaultSanitizeSort(schema, value));`
			`}`

			`if (key === 'filters') {`
			`set(key, await defaultSanitizeFilters(schema, value));`
			`}`

			`if (key === 'fields') {`
			`set(key, await defaultSanitizeFields(schema, value));`
			`}`
			`},`
			`{ schema }`
			`),`
			`// Remove private fields`
			`traverseQueryPopulate(removePrivate, { schema })`
			`)(populate);`
			`});`

Simplify & abstract common sanitize logic 2021-11-08 15:52:42 +01:00			`module.exports = {`
			`sanitizePasswords,`
			`sanitizePrivates,`
			`defaultSanitizeOutput,`
add traverse query fix single type fix query sanitize pagination count params add comments Cleanup the params/filters sanitize helpers sanitize association resolver Sanitize sort fix graphql single type fix graphql types fix addFindQuery Sanitize fields Update sanitize sort to handle all the different formats Update fields sanitize to handle regular strings & wildcard Fix non scalar recursion Add a traverse factory Add visitor to remove dz & morph relations Replace the old traverse utils (sort, filters) by one created using the traverse factory add sanitize populate await args fix async and duplicate sanitization sanitize u&p params Add traverse fields Fix traverse & sanitize fields add traverse fields to nested populate sanitize admin api filter queries Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> sanitize sort params in admin API todo make token fields unsearchable with _q sanitize delete mutation Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Jamie Howard <48524071+jhoward1994@users.noreply.github.com> fix errors on queries without ctx rename findParams to sanitizedParams Sanitize queries everywhere in the content manager admin controllers sanitize single type update and delete Ignore non attribute keys in the sanitize sort Fix the sanitize query sort for nested string sort Fix permission check for the admin typo sanitize upload sanitize admin media library sanitize admin users Add missing await Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> set U&P users fields to searchable:false add token support to createContentAPIRequest add searchable:false to getstarted U&P schema remove comment sanitize component resolver remove await add searchable false to the file's folder path Fix admin query when the permission query is set to null add basic tests for filtering private params add tests for fields add pagination tests Fix admin user fields not being sanitized Fix convert query params for the morph fragment on undefined value Traverse dynamic zone on nested populate Handle nested sort, filters & fields in populate queries + handle populate fragment for morphTo relations Sanitize 'on' subpopulate Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com> don't throw error on invalid attributes check models for snake case column name instead of assuming they are operators Add first batch of api tests for params sanitize Fix sort traversal: handle object arrays Put back removePassword for fields,sort,filters Add schemas and fixtures for sanitize api tests Add tests for relations (sanitize api tests) Move constant to domain scope Rename sanitize params to sanitize query Fix typo Cleanup fixtures file Fix variable name conflict Update packages/core/admin/server/services/permission/permissions-manager/sanitize.js Co-authored-by: Alexandre BODIN <alexandrebodin@users.noreply.github.com> Update comment for array filters Rename sanitize test Test implicit & explicit array operator for filter Remove unused code 2023-02-09 11:35:50 +01:00			`defaultSanitizeFilters,`
			`defaultSanitizeSort,`
			`defaultSanitizeFields,`
			`defaultSanitizePopulate,`
Simplify & abstract common sanitize logic 2021-11-08 15:52:42 +01:00			`};`