Merge pull request #12725 from luanorlandi/fix/sanitize-date-query-param

Fix sanitization of datetime type in query param
2025-10-31 01:47:13 +00:00 · 2022-03-11 11:52:23 +01:00 · 2022-03-11 11:52:23 +01:00 · 2c8eb45683
commit 2c8eb45683
parent 463e9cc9cf 506cf9e15b
3 changed files with 183 additions and 3 deletions
--- a/packages/core/utils/lib/convert-query-params.js
+++ b/packages/core/utils/lib/convert-query-params.js
@ -4,7 +4,7 @@
 * Converts the standard Strapi REST query params to a more usable format for querying
 * You can read more here: https://docs.strapi.io/developer-docs/latest/developer-resources/database-apis-reference/rest-api.html#filters
 */
-const { has, isEmpty, isObject, cloneDeep, get } = require('lodash/fp');
+const { has, isEmpty, isObject, isPlainObject, cloneDeep, get } = require('lodash/fp');
 const _ = require('lodash');
 const parseType = require('./parse-type');
 const contentTypesUtils = require('./content-types');
@ -286,7 +286,7 @@ const convertFiltersQueryParams = (filters, schema) => {
 };
 const convertAndSanitizeFilters = (filters, schema) => {
-  if (!isObject(filters)) {
+  if (!isPlainObject(filters)) {
    return filters;
  }
@ -349,7 +349,7 @@ const convertAndSanitizeFilters = (filters, schema) => {
    }
    // Remove empty objects & arrays
-    if (isObject(filters[key]) && isEmpty(filters[key])) {
+    if (isPlainObject(filters[key]) && isEmpty(filters[key])) {
      removeOperator(key);
    }
  }
--- a/packages/plugins/graphql/tests/fields/date.test.e2e.js
+++ b/packages/plugins/graphql/tests/fields/date.test.e2e.js
@ -113,5 +113,35 @@ describe('Test Graphql API End to End', () => {
        });
      }
    );
    test.each(['2022-03-17'])('Can filter query with date: %s', async value => {
      const res = await graphqlQuery({
        query: /* GraphQL */ `
          query posts($myDate: Date!) {
            posts(filters: { myDate: { gt: $myDate } }) {
              data {
                attributes {
                  myDate
                }
              }
            }
          }
        `,
        variables: {
          myDate: value,
        },
      });
      const { body } = res;
      expect(res.statusCode).toBe(200);
      expect(body).toEqual({
        data: {
          posts: {
            data: [],
          },
        },
      });
    });
  });
 });
--- a/packages/plugins/graphql/tests/fields/datetime.test.e2e.js
+++ b/packages/plugins/graphql/tests/fields/datetime.test.e2e.js
@ -0,0 +1,150 @@
 'use strict';
 // Helpers.
 const { createTestBuilder } = require('../../../../../test/helpers/builder');
 const { createStrapiInstance } = require('../../../../../test/helpers/strapi');
 const { createAuthRequest } = require('../../../../../test/helpers/request');
 const builder = createTestBuilder();
 let strapi;
 let rq;
 let graphqlQuery;
 const postModel = {
  attributes: {
    myDatetime: {
      type: 'datetime',
    },
  },
  singularName: 'post',
  pluralName: 'posts',
  displayName: 'Post',
  description: '',
  collectionName: '',
 };
 describe('Test Graphql API End to End', () => {
  beforeAll(async () => {
    await builder.addContentType(postModel).build();
    strapi = await createStrapiInstance();
    rq = await createAuthRequest({ strapi });
    graphqlQuery = body => {
      return rq({
        url: '/graphql',
        method: 'POST',
        body,
      });
    };
  });
  afterAll(async () => {
    await strapi.destroy();
    await builder.cleanup();
  });
  describe('GraphQL - Datetime field', () => {
    test.each(['2022-03-17T15:06:57.000Z', null])(
      'Can create an entity with datetime equals: %s',
      async value => {
        const res = await graphqlQuery({
          query: /* GraphQL */ `
            mutation createPost($data: PostInput!) {
              createPost(data: $data) {
                data {
                  attributes {
                    myDatetime
                  }
                }
              }
            }
          `,
          variables: {
            data: {
              myDatetime: value,
            },
          },
        });
        const { body } = res;
        expect(res.statusCode).toBe(200);
        expect(body).toEqual({
          data: {
            createPost: {
              data: {
                attributes: { myDatetime: value },
              },
            },
          },
        });
      }
    );
    test.each(['2022-03-17', {}, [], 'something'])(
      'Cannot create an entity with datetime equals: %s',
      async value => {
        const res = await graphqlQuery({
          query: /* GraphQL */ `
            mutation createPost($data: PostInput!) {
              createPost(data: $data) {
                data {
                  attributes {
                    myDatetime
                  }
                }
              }
            }
          `,
          variables: {
            data: {
              myDatetime: value,
            },
          },
        });
        const { body } = res;
        expect(res.statusCode).toBe(400);
        expect(body).toMatchObject({
          errors: [
            {
              extensions: { code: 'BAD_USER_INPUT' },
            },
          ],
        });
      }
    );
    test.each(['2022-03-17T15:06:57.878Z'])('Can filter query with datetime: %s', async value => {
      const res = await graphqlQuery({
        query: /* GraphQL */ `
          query posts($myDatetime: DateTime!) {
            posts(filters: { myDatetime: { gt: $myDatetime } }) {
              data {
                attributes {
                  myDatetime
                }
              }
            }
          }
        `,
        variables: {
          myDatetime: value,
        },
      });
      const { body } = res;
      expect(res.statusCode).toBe(200);
      expect(body).toEqual({
        data: {
          posts: {
            data: [],
          },
        },
      });
    });
  });
 });