feathers icon indicating copy to clipboard operation
feathers copied to clipboard
verified publisher icon feathersjs

adapter-commons/filter-query.ts:cleanQuery whitelist test

Open TimNZ opened this issue 6 years ago • 2 comments

I've added additional known operators to whitelist option for feathers-sequelize, but cleanQuery is also failing things like '"$primaryLocation.city$".

Is it reasonable that sequelize field expressions are blacklisted by default, or can you test for $ at start and end and allow, or have that as another option along whitelist, or support regexp values in whitelist?

TimNZ avatar Aug 31 '19 23:08 TimNZ

It almost looks like we'd want to be able to whitelist a regular expression.

daffl avatar Sep 04 '19 17:09 daffl

Yes please - loop through array and test if item is string or regexp and test accordingly, vs current 'includes' test.

TimNZ avatar Sep 04 '19 20:09 TimNZ

So over the last little while we realised that all the query sanitisation is just a complicated and convoluted way of doing query schema validation which is exactly what we'd like to encourage in the future. So https://github.com/feathersjs/feathers/pull/2906 implemented a change that skips query sanitisation if you already validated your query against a schema which will be the recommended way going forward.

daffl avatar Dec 09 '22 00:12 daffl