diff --git a/example/nodejs/package.json b/example/nodejs/package.json index e0f58bb7a..63a454263 100644 --- a/example/nodejs/package.json +++ b/example/nodejs/package.json @@ -6,7 +6,7 @@ "dependencies": { "@aws-sdk/client-s3": "^3.451.0", "@types/sanitize-html": "^2.13.0", - "@viron/lib": "2.4.0-alpha.3", + "@viron/lib": "2.4.0-alpha.4", "accepts": "^1.3.7", "compression": "^1.7.4", "cookie-parser": "^1.4.5", diff --git a/packages/nodejs/package.json b/packages/nodejs/package.json index c6e013c32..9444d3fd2 100644 --- a/packages/nodejs/package.json +++ b/packages/nodejs/package.json @@ -1,6 +1,6 @@ { "name": "@viron/lib", - "version": "2.4.0-alpha.3", + "version": "2.4.0-alpha.4", "scripts": { "build": "npm run clean && tsc --project tsconfig.json && cp -fr src/openapi dist/", "clean": "rm -rf dist && rm -f tsconfig.tsbuildinfo", diff --git a/packages/nodejs/src/domains/adminrole.ts b/packages/nodejs/src/domains/adminrole.ts index 001adc58c..24e251a12 100644 --- a/packages/nodejs/src/domains/adminrole.ts +++ b/packages/nodejs/src/domains/adminrole.ts @@ -93,16 +93,19 @@ const sync = async (now = Date.now()): Promise => { } }; +// adminroles(casbin_rule)で不正な文字列チェック カンマ、シングルクォート、ダブルクォートが文字列に含まれないこと +const isValidCasbinRule = (str: string): boolean => /[,'"]/.test(str); + // adminroles(casbin_rule)で不正な文字列チェック const validateAdminRole = (obj: AdminRole): void => { - console.log('validateAdminRole: ', obj); - // obj.idにカンマ、シングルクォート、ダブルクォートが文字列に含まれないことを確認 - if (/[,'"]/.test(obj.id)) { + // obj.idのチェック + if (isValidCasbinRule(obj.id)) { throw invalidAdminRole(); } + for (const { resourceId, permission } of obj.permissions) { - // resourceIdにカンマ、シングルクォート、ダブルクォートが文字列に含まれないことを確認 - if (/[,'"]/.test(resourceId)) { + // resourceIdのチェック + if (isValidCasbinRule(resourceId)) { throw invalidAdminRole(); } // permissionがPermissionに含まれることを確認 @@ -112,6 +115,17 @@ const validateAdminRole = (obj: AdminRole): void => { } }; +const validateUserRoles = (userId: string, roleIds: string[]): void => { + // userIdにカンマ、シングルクォート、ダブルクォートが文字列に含まれないことを確認 + if (isValidCasbinRule(userId)) { + throw invalidAdminRole(); + } + // roleIdsにカンマ、シングルクォート、ダブルクォートが文字列に含まれないことを確認 + if (roleIds.some((roleId) => isValidCasbinRule(roleId))) { + throw invalidAdminRole(); + } +}; + // APIメソッドをPermissionに変換 export const method2Permissions = (method: ApiMethod): Permission[] => permissionMap[method]; @@ -128,6 +142,7 @@ export const addRoleForUser = async ( userId: string, roleId: string ): Promise => { + validateUserRoles(userId, [roleId]); const casbin = repositoryContainer.getCasbin(); return casbin.addRoleForUser(userId, roleId); }; @@ -148,6 +163,7 @@ export const updateRolesForUser = async ( userId: string, roleIds: string[] ): Promise => { + validateUserRoles(userId, roleIds); await revokeRoleForUser(userId); await Promise.all( roleIds.map((roleId: string) => addRoleForUser(userId, roleId)) @@ -193,6 +209,7 @@ export const updatePermissionsForRole = async ( roleId: string, permissions: AdminRolePermissions ): Promise => { + validateAdminRole({ id: roleId, permissions }); const casbin = repositoryContainer.getCasbin(); const policies = permissions.map( ({ resourceId, permission }): Policy => diff --git a/packages/nodejs/src/openapi/adminroles.yaml b/packages/nodejs/src/openapi/adminroles.yaml index dbcf8d874..0af6149e1 100644 --- a/packages/nodejs/src/openapi/adminroles.yaml +++ b/packages/nodejs/src/openapi/adminroles.yaml @@ -128,7 +128,7 @@ components: id: description: ロールID type: string - pattern: "^[^,'\"]*$" + pattern: '^[^,''"]*$' permissions: description: 権限 type: array @@ -162,7 +162,7 @@ components: id: description: ロールID type: string - pattern: "^[^,'\"]*$" + pattern: '^[^,''"]*$' permissions: description: 権限 type: array diff --git a/packages/nodejs/src/openapi/adminusers.yaml b/packages/nodejs/src/openapi/adminusers.yaml index 270f5524b..b69a07dc4 100644 --- a/packages/nodejs/src/openapi/adminusers.yaml +++ b/packages/nodejs/src/openapi/adminusers.yaml @@ -161,6 +161,7 @@ components: type: array items: type: string + pattern: '^[^,''"]*$' required: - email - password @@ -178,3 +179,4 @@ components: type: array items: type: string + pattern: '^[^,''"]*$'