Move query building for access checks off the request handling path e…

…xcept for list records where the current filter-where-clause construction doesn't allow for it.
trailbaseio · Dec 17, 2024 · bd0b33e · bd0b33e
1 parent 312d161
commit bd0b33e
Show file tree

Hide file tree

Showing 5 changed files with 243 additions and 183 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/trailbase-core/src/listing.rs b/trailbase-core/src/listing.rs
@@ -4,7 +4,7 @@ use std::borrow::Cow;
 use std::collections::HashMap;
 use thiserror::Error;
 
-use crate::records::json_to_sql::simple_json_value_to_param;
+use crate::records::json_to_sql::json_string_to_value;
 use crate::table_metadata::TableOrViewMetadata;
 use crate::util::b64_to_id;
 
@@ -141,6 +141,16 @@ pub fn parse_query(query: Option<String>) -> Option<QueryParseResult> {
           continue;
         };
 
+        if !k
+          .chars()
+          .all(|c| c.is_alphanumeric() || c == '.' || c == '-' || c == '_')
+        {
+          #[cfg(debug_assertions)]
+          debug!("skipping non-trivial query param: {key}={value}");
+
+          continue;
+        }
+
         if value.is_empty() {
           continue;
         }
@@ -183,6 +193,8 @@ pub fn build_filter_where_clause(
         )));
       }
 
+      // IMPORTANT: We only include parameters with known columns to avoid building an invalid
+      // query early and forbid injections.
       let Some((col, _col_meta)) = table_metadata.column_by_name(&column_name) else {
         return Err(WhereClauseError::UnrecognizedParam(format!(
           "Unrecognized parameter: {column_name}"
@@ -195,10 +207,7 @@ pub fn build_filter_where_clause(
           continue;
         };
 
-        match simple_json_value_to_param(
-          col.data_type,
-          serde_json::Value::String(query_param.value.clone()),
-        ) {
+        match json_string_to_value(col.data_type, query_param.value) {
           Ok(value) => {
             where_clauses.push(format!("{column_name} {op} :{column_name}"));
             params.push((format!(":{column_name}").into(), value));

diff --git a/trailbase-core/src/records/json_to_sql.rs b/trailbase-core/src/records/json_to_sql.rs
@@ -691,7 +691,10 @@ fn try_json_array_to_blob(arr: &Vec<serde_json::Value>) -> Result<Value, ParamsE
   return Ok(Value::Blob(byte_array));
 }
 
-fn json_string_to_value(data_type: ColumnDataType, value: String) -> Result<Value, ParamsError> {
+pub(crate) fn json_string_to_value(
+  data_type: ColumnDataType,
+  value: String,
+) -> Result<Value, ParamsError> {
   return Ok(match data_type {
     ColumnDataType::Null => Value::Null,
     // Strict/storage types

diff --git a/trailbase-core/src/records/list_records.rs b/trailbase-core/src/records/list_records.rs
@@ -2,7 +2,9 @@ use axum::{
   extract::{Path, RawQuery, State},
   Json,
 };
+use itertools::Itertools;
 use std::borrow::Cow;
+use trailbase_sqlite::Value;
 
 use crate::app_state::AppState;
 use crate::auth::user::User;
@@ -48,24 +50,19 @@ pub async fn list_records_handler(
     .map_err(|_err| RecordError::BadRequest("Invalid filter params"))?;
 
   if let Some(cursor) = cursor {
-    params.push((
-      Cow::Borrowed(":cursor"),
-      trailbase_sqlite::Value::Blob(cursor.to_vec()),
-    ));
+    params.push((Cow::Borrowed(":cursor"), Value::Blob(cursor.to_vec())));
     clause = format!("{clause} AND _ROW_.id < :cursor");
   }
 
   // User properties
   params.extend_from_slice(&[
     (
       Cow::Borrowed(":limit"),
-      trailbase_sqlite::Value::Integer(limit_or_default(limit) as i64),
+      Value::Integer(limit_or_default(limit) as i64),
     ),
     (
       Cow::Borrowed(":__user_id"),
-      user.map_or(trailbase_sqlite::Value::Null, |u| {
-        trailbase_sqlite::Value::Blob(u.uuid.into())
-      }),
+      user.map_or(Value::Null, |u| Value::Blob(u.uuid.into())),
     ),
   ]);
 
@@ -75,7 +72,7 @@ pub async fn list_records_handler(
   // TODO: Should this be a separate access rule? Maybe one wants users to access a specific
   // record but not list all the records.
   if let Some(read_access) = api.access_rule(Permission::Read) {
-    clause = format!("({clause}) AND {read_access}");
+    clause = format!("({read_access}) AND ({clause})");
   }
 
   let default_ordering = || {
@@ -94,7 +91,6 @@ pub async fn list_records_handler(
         }
       )
     })
-    .collect::<Vec<_>>()
     .join(", ");
 
   let query = format!(