admin/twenty
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Refactor raw queries to use prepared query to avoid security vuln. (#6348)

Browse Source 
As per title, we should avoid at all cost using non-prepared query and
NEVER use them whenever the input come from the user.
This commit is contained in:
Charles Bochet
2024-07-19 22:32:40 +02:00
committed by GitHub
parent cac0d22285
commit 2e38c3bbc1
2 changed files with 23 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.ts
View File

@ -1,20 +1,20 @@
import { PassportStrategy } from '@nestjs/passport';
import {
ForbiddenException,
Injectable,
UnauthorizedException,
} from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { InjectRepository } from '@nestjs/typeorm';
import { Strategy, ExtractJwt } from 'passport-jwt';
import { ExtractJwt, Strategy } from 'passport-jwt';
import { Repository } from 'typeorm';
import { assert } from 'src/utils/assert';
import { EnvironmentService } from 'src/engine/integrations/environment/environment.service';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { User } from 'src/engine/core-modules/user/user.entity';
import { TypeORMService } from 'src/database/typeorm/typeorm.service';
import { User } from 'src/engine/core-modules/user/user.entity';
import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
import { EnvironmentService } from 'src/engine/integrations/environment/environment.service';
import { DataSourceService } from 'src/engine/metadata-modules/data-source/data-source.service';
import { assert } from 'src/utils/assert';
export type JwtPayload = { sub: string; workspaceId: string; jti?: string };
export type PassportUser = { user?: User; workspace: Workspace };
@ -55,7 +55,8 @@ export class JwtAuthStrategy extends PassportStrategy(Strategy, 'jwt') {
await this.typeORMService.connectToDataSource(dataSourceMetadata);
const apiKey = await workspaceDataSource?.query(
`SELECT * FROM ${dataSourceMetadata.schema}."apiKey" WHERE id = '${payload.jti}'`,
`SELECT * FROM ${dataSourceMetadata.schema}."apiKey" WHERE id = $1`,
[payload.jti],
);
assert(