pipedream
pipedream copied to clipboard
PipedreamHQ
Fix data stores object parsing
Primary fix:
- [x] Using
Functionto evaluate JSON / JS objects - regex failed on some cases: ontimevalues (containing:) and if there were spaces in between the key/value (e.g.{key : "value"}- note space before:)
Refactors:
- [x] return
parsedValuewhenever possible - [x] new
valuepropDefinition - [x] change some logic of summary exports (affects order of execution only)
- [x] minor changes
Resolves #3515.
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Updated |
|---|---|---|---|
| pipedream-docs | ✅ Ready (Inspect) | Visit Preview | Sep 2, 2022 at 11:09AM (UTC) |
| pipedream-docs-redirect-do-not-edit | ✅ Ready (Inspect) | Visit Preview | Sep 2, 2022 at 11:09AM (UTC) |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for submitting this PR! When we review PRs, we follow the Pipedream component guidelines. If you're not familiar, here's a quick checklist:
- [ ] Create components to address specific use cases whenever possible
- [ ] Component
keys should follow the formatapp_name_slug-slugified-component-name - [ ] Components should follow the standard directory structure
- [ ] Prefer Node.js client libraries to REST APIs
- [ ] When making API requests, handle pagination to ensure all data / events are processed
- [ ] Use
secretprops to capture sensitive data - [ ] Props and methods should be defined in app files whenever possible
- [ ] Document methods with JS Docs
- [ ] Use
optionalprops whenever possible, and set adefaultvalue where you can - [ ] Use async options to accept user input wherever possible
@dylburger @vellames-turing @feyzullah would love your inputs on possible security issues - commit 1452494c
@dylburger @vellames-turing @feyzullah would love your inputs on possible security issues - commit 1452494
Hi @andrewjschuang we had a convo about using eval last time. We decided not to use eval because if a user input be a malicious function, eval would run that function no matter what and we have no control over it. After that @vellames-turing added and used xss package for this reason. I think using xss and JSON.parse would be safe.
Hi @andrewjschuang we had a convo about using
evallast time. We decided not to useevalbecause if a user input be a malicious function,evalwould run that function no matter what and we have no control over it. After that @vellames-turing added and usedxsspackage for this reason. I think usingxssandJSON.parsewould be safe.
Function would limit the access of scopes and variables at least, so it's safer than eval.
I'm not sure how Data Stores are implemented - if it's just a user-limited container would it be an issue to expose this?
I've used this array for testing:
[
"1",
2,
3.5,
{
key: "value",
},
new Date(),
console.log("Hello!"),
{ "time" : "18:01:31" },
]
Result:
Note that console.log is executed and returns null, so that's what is being saved into the data store.
I've added a while(true) test, but I don't know why it throws an exception and saves everything as a string, which is nice.
Result:
Don't really know about other types of injected code.
Hi @andrewjschuang Everything looks great. However I consider you should change versions in the rest of components as well since you are touching
data_stores.app.mjs. Don't you think?
Thanks, I don´t think it's necessary since the changed parts of the app file don't affect the other components.
Hello everyone, I have tested this PR and there're some test cases failed or needed improvement.
Please check the test report below for more information Data_Stores_3515_2202.pdf
Hello everyone, I have tested this PR and there're some test cases failed or needed improvement.
Please check the test report below for more information Data_Stores_3515_2202.pdf
Thanks, should be fixed!