michael/merlyn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

patch SQL injection opportunities [LOW RISK] (#234)

Browse Source
This commit is contained in:
Timothy Carambat 2023-09-12 01:27:04 +02:00 committed by GitHub
parent 3c88aec034
commit dc3dfbf314
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 69 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
server/endpoints/admin.js
View File

@ -1,3 +1,4 @@
const { escape } = require("sqlstring-sqlite");
const { ApiKey } = require("../models/apiKeys"); const { ApiKey } = require("../models/apiKeys");
const { Document } = require("../models/documents"); const { Document } = require("../models/documents");
const { Invite } = require("../models/invite"); const { Invite } = require("../models/invite");
@ -203,7 +204,7 @@ function adminEndpoints(app) {
const { workspaceId } = request.params; const { workspaceId } = request.params;
const { userIds } = reqBody(request); const { userIds } = reqBody(request);
const { success, error } = await Workspace.updateUsers( const { success, error } = await Workspace.updateUsers(
workspaceId, escape(Number(workspaceId)),
userIds userIds
); );
response.status(200).json({ success, error }); response.status(200).json({ success, error });
@ -227,16 +228,16 @@ function adminEndpoints(app) {
const { id } = request.params; const { id } = request.params;
const VectorDb = getVectorDbClass(); const VectorDb = getVectorDbClass();
const workspace = Workspace.get(`id = ${id}`); const workspace = Workspace.get(`id = ${escape(id)}`);
if (!workspace) { if (!workspace) {
response.sendStatus(404).end(); response.sendStatus(404).end();
return; return;
} }
await Workspace.delete(`id = ${id}`); await Workspace.delete(`id = ${workspace.id}`);
await DocumentVectors.deleteForWorkspace(id); await DocumentVectors.deleteForWorkspace(workspace.id);
await Document.delete(`workspaceId = ${Number(id)}`); await Document.delete(`workspaceId = ${Number(workspace.id)}`);
await WorkspaceChats.delete(`workspaceId = ${Number(id)}`); await WorkspaceChats.delete(`workspaceId = ${Number(workspace.id)}`);
try { try {
await VectorDb["delete-namespace"]({ namespace: workspace.slug }); await VectorDb["delete-namespace"]({ namespace: workspace.slug });
} catch (e) { } catch (e) {
@ -262,7 +263,10 @@ function adminEndpoints(app) {
return; return;
} }
const { offset = 0 } = reqBody(request); const { offset = 0 } = reqBody(request);
const chats = await WorkspaceChats.whereWithData(`id >= ${offset}`, 20); const chats = await WorkspaceChats.whereWithData(
`id >= ${escape(offset)}`,
20
);
const hasPages = (await WorkspaceChats.count()) > 20; const hasPages = (await WorkspaceChats.count()) > 20;
response.status(200).json({ chats: chats.reverse(), hasPages }); response.status(200).json({ chats: chats.reverse(), hasPages });
} catch (e) { } catch (e) {

8
server/endpoints/api/admin/index.js
View File

@ -1,3 +1,4 @@
const { escape } = require("sqlstring-sqlite");
const { Invite } = require("../../../models/invite"); const { Invite } = require("../../../models/invite");
const { SystemSettings } = require("../../../models/systemSettings"); const { SystemSettings } = require("../../../models/systemSettings");
const { User } = require("../../../models/user"); const { User } = require("../../../models/user");
@ -456,7 +457,7 @@ function apiAdminEndpoints(app) {
const { workspaceId } = request.params; const { workspaceId } = request.params;
const { userIds } = reqBody(request); const { userIds } = reqBody(request);
const { success, error } = await Workspace.updateUsers( const { success, error } = await Workspace.updateUsers(
workspaceId, escape(Number(workspaceId)),
userIds userIds
); );
response.status(200).json({ success, error }); response.status(200).json({ success, error });
@ -515,7 +516,10 @@ function apiAdminEndpoints(app) {
} }
const { offset = 0 } = reqBody(request); const { offset = 0 } = reqBody(request);
const chats = await WorkspaceChats.whereWithData(`id >= ${offset}`, 20); const chats = await WorkspaceChats.whereWithData(
`id >= ${escape(offset)}`,
20
);
const hasPages = (await WorkspaceChats.count()) > 20; const hasPages = (await WorkspaceChats.count()) > 20;
response.status(200).json({ chats: chats.reverse(), hasPages }); response.status(200).json({ chats: chats.reverse(), hasPages });
} catch (e) { } catch (e) {

17
server/endpoints/api/workspace/index.js
View File

@ -1,3 +1,4 @@
const { escape } = require("sqlstring-sqlite");
const { Document } = require("../../../models/documents"); const { Document } = require("../../../models/documents");
const { Telemetry } = require("../../../models/telemetry"); const { Telemetry } = require("../../../models/telemetry");
const { DocumentVectors } = require("../../../models/vectors"); const { DocumentVectors } = require("../../../models/vectors");
@ -153,7 +154,7 @@ function apiWorkspaceEndpoints(app) {
*/ */
try { try {
const { slug } = request.params; const { slug } = request.params;
const workspace = await Workspace.get(`slug = '${slug}'`); const workspace = await Workspace.get(`slug = ${escape(slug)}`);
response.status(200).json({ workspace }); response.status(200).json({ workspace });
} catch (e) { } catch (e) {
console.log(e.message, e); console.log(e.message, e);
@ -184,14 +185,14 @@ function apiWorkspaceEndpoints(app) {
try { try {
const { slug = "" } = request.params; const { slug = "" } = request.params;
const VectorDb = getVectorDbClass(); const VectorDb = getVectorDbClass();
const workspace = await Workspace.get(`slug = '${slug}'`); const workspace = await Workspace.get(`slug = ${escape(slug)}`);
if (!workspace) { if (!workspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();
return; return;
} }
await Workspace.delete(`slug = '${slug.toLowerCase()}'`); await Workspace.delete(`id = ${Number(workspace.id)}`);
await DocumentVectors.deleteForWorkspace(workspace.id); await DocumentVectors.deleteForWorkspace(workspace.id);
await Document.delete(`workspaceId = ${Number(workspace.id)}`); await Document.delete(`workspaceId = ${Number(workspace.id)}`);
await WorkspaceChats.delete(`workspaceId = ${Number(workspace.id)}`); await WorkspaceChats.delete(`workspaceId = ${Number(workspace.id)}`);
@ -269,7 +270,7 @@ function apiWorkspaceEndpoints(app) {
try { try {
const { slug = null } = request.params; const { slug = null } = request.params;
const data = reqBody(request); const data = reqBody(request);
const currWorkspace = await Workspace.get(`slug = '${slug}'`); const currWorkspace = await Workspace.get(`slug = ${escape(slug)}`);
if (!currWorkspace) { if (!currWorkspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();
@ -333,7 +334,7 @@ function apiWorkspaceEndpoints(app) {
*/ */
try { try {
const { slug } = request.params; const { slug } = request.params;
const workspace = await Workspace.get(`slug = '${slug}'`); const workspace = await Workspace.get(`slug = ${escape(slug)}`);
if (!workspace) { if (!workspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();
@ -408,7 +409,7 @@ function apiWorkspaceEndpoints(app) {
try { try {
const { slug = null } = request.params; const { slug = null } = request.params;
const { adds = [], deletes = [] } = reqBody(request); const { adds = [], deletes = [] } = reqBody(request);
const currWorkspace = await Workspace.get(`slug = '${slug}'`); const currWorkspace = await Workspace.get(`slug = ${escape(slug)}`);
if (!currWorkspace) { if (!currWorkspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();
@ -417,7 +418,9 @@ function apiWorkspaceEndpoints(app) {
await Document.removeDocuments(currWorkspace, deletes); await Document.removeDocuments(currWorkspace, deletes);
await Document.addDocuments(currWorkspace, adds); await Document.addDocuments(currWorkspace, adds);
const updatedWorkspace = await Workspace.get(`slug = '${slug}'`); const updatedWorkspace = await Workspace.get(
`id = ${Number(currWorkspace.id)}`
);
response.status(200).json({ workspace: updatedWorkspace }); response.status(200).json({ workspace: updatedWorkspace });
} catch (e) { } catch (e) {
console.log(e.message, e); console.log(e.message, e);

5
server/endpoints/chat.js
View File

@ -6,6 +6,7 @@ const { validatedRequest } = require("../utils/middleware/validatedRequest");
const { WorkspaceChats } = require("../models/workspaceChats"); const { WorkspaceChats } = require("../models/workspaceChats");
const { SystemSettings } = require("../models/systemSettings"); const { SystemSettings } = require("../models/systemSettings");
const { Telemetry } = require("../models/telemetry"); const { Telemetry } = require("../models/telemetry");
const { escape } = require("sqlstring-sqlite");
function chatEndpoints(app) { function chatEndpoints(app) {
if (!app) return; if (!app) return;
@ -19,8 +20,8 @@ function chatEndpoints(app) {
const { slug } = request.params; const { slug } = request.params;
const { message, mode = "query" } = reqBody(request); const { message, mode = "query" } = reqBody(request);
const workspace = multiUserMode(response) const workspace = multiUserMode(response)
? await Workspace.getWithUser(user, `slug = '${slug}'`) ? await Workspace.getWithUser(user, `slug = ${escape(slug)}`)
: await Workspace.get(`slug = '${slug}'`); : await Workspace.get(`slug = ${escape(slug)}`);
if (!workspace) { if (!workspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();

5
server/endpoints/invite.js
View File

@ -1,3 +1,4 @@
const { escape } = require("sqlstring-sqlite");
const { Invite } = require("../models/invite"); const { Invite } = require("../models/invite");
const { User } = require("../models/user"); const { User } = require("../models/user");
const { reqBody } = require("../utils/http"); const { reqBody } = require("../utils/http");
@ -8,7 +9,7 @@ function inviteEndpoints(app) {
app.get("/invite/:code", async (request, response) => { app.get("/invite/:code", async (request, response) => {
try { try {
const { code } = request.params; const { code } = request.params;
const invite = await Invite.get(`code = '${code}'`); const invite = await Invite.get(`code = ${escape(code)}`);
if (!invite) { if (!invite) {
response.status(200).json({ invite: null, error: "Invite not found." }); response.status(200).json({ invite: null, error: "Invite not found." });
return; return;
@ -34,7 +35,7 @@ function inviteEndpoints(app) {
try { try {
const { code } = request.params; const { code } = request.params;
const userParams = reqBody(request); const userParams = reqBody(request);
const invite = await Invite.get(`code = '${code}'`); const invite = await Invite.get(`code = ${escape(code)}`);
if (!invite || invite.status !== "pending") { if (!invite || invite.status !== "pending") {
response response
.status(200) .status(200)

3
server/endpoints/system.js
View File

@ -38,6 +38,7 @@ const {
const { Telemetry } = require("../models/telemetry"); const { Telemetry } = require("../models/telemetry");
const { WelcomeMessages } = require("../models/welcomeMessages"); const { WelcomeMessages } = require("../models/welcomeMessages");
const { ApiKey } = require("../models/apiKeys"); const { ApiKey } = require("../models/apiKeys");
const { escape } = require("sqlstring-sqlite");
function systemEndpoints(app) { function systemEndpoints(app) {
if (!app) return; if (!app) return;
@ -96,7 +97,7 @@ function systemEndpoints(app) {
try { try {
if (await SystemSettings.isMultiUserMode()) { if (await SystemSettings.isMultiUserMode()) {
const { username, password } = reqBody(request); const { username, password } = reqBody(request);
const existingUser = await User.get(`username = '${username}'`); const existingUser = await User.get(`username = ${escape(username)}`);
if (!existingUser) { if (!existingUser) {
response.status(200).json({ response.status(200).json({

27
server/endpoints/workspaces.js
View File

@ -13,6 +13,7 @@ const {
const { validatedRequest } = require("../utils/middleware/validatedRequest"); const { validatedRequest } = require("../utils/middleware/validatedRequest");
const { SystemSettings } = require("../models/systemSettings"); const { SystemSettings } = require("../models/systemSettings");
const { Telemetry } = require("../models/telemetry"); const { Telemetry } = require("../models/telemetry");
const { escape } = require("sqlstring-sqlite");
const { handleUploads } = setupMulter(); const { handleUploads } = setupMulter();
function workspaceEndpoints(app) { function workspaceEndpoints(app) {
@ -44,8 +45,8 @@ function workspaceEndpoints(app) {
const { slug = null } = request.params; const { slug = null } = request.params;
const data = reqBody(request); const data = reqBody(request);
const currWorkspace = multiUserMode(response) const currWorkspace = multiUserMode(response)
? await Workspace.getWithUser(user, `slug = '${slug}'`) ? await Workspace.getWithUser(user, `slug = ${escape(slug)}`)
: await Workspace.get(`slug = '${slug}'`); : await Workspace.get(`slug = ${escape(slug)}`);
if (!currWorkspace) { if (!currWorkspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();
@ -105,8 +106,8 @@ function workspaceEndpoints(app) {
const { slug = null } = request.params; const { slug = null } = request.params;
const { adds = [], deletes = [] } = reqBody(request); const { adds = [], deletes = [] } = reqBody(request);
const currWorkspace = multiUserMode(response) const currWorkspace = multiUserMode(response)
? await Workspace.getWithUser(user, `slug = '${slug}'`) ? await Workspace.getWithUser(user, `slug = ${escape(slug)}`)
: await Workspace.get(`slug = '${slug}'`); : await Workspace.get(`slug = ${escape(slug)}`);
if (!currWorkspace) { if (!currWorkspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();
@ -115,7 +116,9 @@ function workspaceEndpoints(app) {
await Document.removeDocuments(currWorkspace, deletes); await Document.removeDocuments(currWorkspace, deletes);
await Document.addDocuments(currWorkspace, adds); await Document.addDocuments(currWorkspace, adds);
const updatedWorkspace = await Workspace.get(`slug = '${slug}'`); const updatedWorkspace = await Workspace.get(
`id = ${currWorkspace.id}`
);
response.status(200).json({ workspace: updatedWorkspace }); response.status(200).json({ workspace: updatedWorkspace });
} catch (e) { } catch (e) {
console.log(e.message, e); console.log(e.message, e);
@ -133,8 +136,8 @@ function workspaceEndpoints(app) {
const user = await userFromSession(request, response); const user = await userFromSession(request, response);
const VectorDb = getVectorDbClass(); const VectorDb = getVectorDbClass();
const workspace = multiUserMode(response) const workspace = multiUserMode(response)
? await Workspace.getWithUser(user, `slug = '${slug}'`) ? await Workspace.getWithUser(user, `slug = ${escape(slug)}`)
: await Workspace.get(`slug = '${slug}'`); : await Workspace.get(`slug = ${escape(slug)}`);
if (!workspace) { if (!workspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();
@ -151,7 +154,7 @@ function workspaceEndpoints(app) {
} }
} }
await Workspace.delete(`slug = '${slug.toLowerCase()}'`); await Workspace.delete(`id = ${Number(workspace.id)}`);
await DocumentVectors.deleteForWorkspace(workspace.id); await DocumentVectors.deleteForWorkspace(workspace.id);
await Document.delete(`workspaceId = ${Number(workspace.id)}`); await Document.delete(`workspaceId = ${Number(workspace.id)}`);
await WorkspaceChats.delete(`workspaceId = ${Number(workspace.id)}`); await WorkspaceChats.delete(`workspaceId = ${Number(workspace.id)}`);
@ -187,8 +190,8 @@ function workspaceEndpoints(app) {
const { slug } = request.params; const { slug } = request.params;
const user = await userFromSession(request, response); const user = await userFromSession(request, response);
const workspace = multiUserMode(response) const workspace = multiUserMode(response)
? await Workspace.getWithUser(user, `slug = '${slug}'`) ? await Workspace.getWithUser(user, `slug = ${escape(slug)}`)
: await Workspace.get(`slug = '${slug}'`); : await Workspace.get(`slug = ${escape(slug)}`);
response.status(200).json({ workspace }); response.status(200).json({ workspace });
} catch (e) { } catch (e) {
@ -205,8 +208,8 @@ function workspaceEndpoints(app) {
const { slug } = request.params; const { slug } = request.params;
const user = await userFromSession(request, response); const user = await userFromSession(request, response);
const workspace = multiUserMode(response) const workspace = multiUserMode(response)
? await Workspace.getWithUser(user, `slug = '${slug}'`) ? await Workspace.getWithUser(user, `slug = ${escape(slug)}`)
: await Workspace.get(`slug = '${slug}'`); : await Workspace.get(`slug = ${escape(slug)}`);
if (!workspace) { if (!workspace) {
response.sendStatus(400).end(); response.sendStatus(400).end();

6
server/models/invite.js
View File

@ -1,3 +1,5 @@
const { escape } = require("sqlstring-sqlite");
const Invite = { const Invite = {
tablename: "invites", tablename: "invites",
writable: [], writable: [],
@ -69,7 +71,7 @@ const Invite = {
return { invite, error: null }; return { invite, error: null };
}, },
deactivate: async function (inviteId = null) { deactivate: async function (inviteId = null) {
const invite = await this.get(`id = ${inviteId}`); const invite = await this.get(`id = ${escape(inviteId)}`);
if (!invite) return { success: false, error: "Invite does not exist." }; if (!invite) return { success: false, error: "Invite does not exist." };
if (invite.status !== "pending") if (invite.status !== "pending")
return { success: false, error: "Invite is not in pending status." }; return { success: false, error: "Invite is not in pending status." };
@ -96,7 +98,7 @@ const Invite = {
return { success: true, error: null }; return { success: true, error: null };
}, },
markClaimed: async function (inviteId = null, user) { markClaimed: async function (inviteId = null, user) {
const invite = await this.get(`id = ${inviteId}`); const invite = await this.get(`id = ${escape(inviteId)}`);
if (!invite) return { success: false, error: "Invite does not exist." }; if (!invite) return { success: false, error: "Invite does not exist." };
if (invite.status !== "pending") if (invite.status !== "pending")
return { success: false, error: "Invite is not in pending status." }; return { success: false, error: "Invite is not in pending status." };

6
server/models/user.js
View File

@ -1,3 +1,5 @@
const { escape } = require("sqlstring-sqlite");
const User = { const User = {
tablename: "users", tablename: "users",
writable: [], writable: [],
@ -66,13 +68,13 @@ const User = {
return { user, error: null }; return { user, error: null };
}, },
update: async function (userId, updates = {}) { update: async function (userId, updates = {}) {
const user = await this.get(`id = ${userId}`); const user = await this.get(`id = ${escape(userId)}`);
if (!user) return { success: false, error: "User does not exist." }; if (!user) return { success: false, error: "User does not exist." };
const { username, password, role, suspended = 0 } = updates; const { username, password, role, suspended = 0 } = updates;
const toUpdate = { suspended }; const toUpdate = { suspended };
if (user.username !== username && username?.length > 0) { if (user.username !== username && username?.length > 0) {
const usedUsername = !!(await this.get(`username = '${username}'`)); const usedUsername = !!(await this.get(`username = ${escape(username)}`));
if (usedUsername) if (usedUsername)
return { success: false, error: `${username} is already in use.` }; return { success: false, error: `${username} is already in use.` };
toUpdate.username = username; toUpdate.username = username;

3
server/models/workspace.js
View File

@ -2,6 +2,7 @@ const slugify = require("slugify");
const { Document } = require("./documents"); const { Document } = require("./documents");
const { checkForMigrations } = require("../utils/database"); const { checkForMigrations } = require("../utils/database");
const { WorkspaceUser } = require("./workspaceUsers"); const { WorkspaceUser } = require("./workspaceUsers");
const { escape } = require("sqlstring-sqlite");
const Workspace = { const Workspace = {
tablename: "workspaces", tablename: "workspaces",
@ -81,7 +82,7 @@ const Workspace = {
if (!name) return { result: null, message: "name cannot be null" }; if (!name) return { result: null, message: "name cannot be null" };
var slug = slugify(name, { lower: true }); var slug = slugify(name, { lower: true });
const existingBySlug = await this.get(`slug = '${slug}'`); const existingBySlug = await this.get(`slug = ${escape(slug)}`);
if (existingBySlug !== null) { if (existingBySlug !== null) {
const slugSeed = Math.floor(10000000 + Math.random() * 90000000); const slugSeed = Math.floor(10000000 + Math.random() * 90000000);
slug = slugify(`${name}-${slugSeed}`, { lower: true }); slug = slugify(`${name}-${slugSeed}`, { lower: true });

3
server/package.json
View File

@ -42,6 +42,7 @@
"slugify": "^1.6.6", "slugify": "^1.6.6",
"sqlite": "^4.2.1", "sqlite": "^4.2.1",
"sqlite3": "^5.1.6", "sqlite3": "^5.1.6",
"sqlstring-sqlite": "^0.1.1",
"swagger-autogen": "^2.23.5", "swagger-autogen": "^2.23.5",
"swagger-ui-express": "^5.0.0", "swagger-ui-express": "^5.0.0",
"uuid": "^9.0.0", "uuid": "^9.0.0",
@ -53,4 +54,4 @@
"nodemon": "^2.0.22", "nodemon": "^2.0.22",
"prettier": "^2.4.1" "prettier": "^2.4.1"
} }
} }

4
server/utils/middleware/validApiKey.js
View File

@ -1,3 +1,4 @@
const { escape } = require("sqlstring-sqlite");
const { ApiKey } = require("../../models/apiKeys"); const { ApiKey } = require("../../models/apiKeys");
const { SystemSettings } = require("../../models/systemSettings"); const { SystemSettings } = require("../../models/systemSettings");
@ -14,8 +15,7 @@ async function validApiKey(request, response, next) {
return; return;
} }
const apiKey = await ApiKey.get(`secret = '${bearerKey}'`); if (!(await ApiKey.get(`secret = ${escape(bearerKey)}`))) {
if (!apiKey) {
response.status(403).json({ response.status(403).json({
error: "No valid api key found.", error: "No valid api key found.",
}); });

5
server/yarn.lock
View File

@ -2385,6 +2385,11 @@ sqlite@^4.2.1:
resolved "https://registry.yarnpkg.com/sqlite/-/sqlite-4.2.1.tgz#d4eedfd1ad702f79110792375f4241a90c75c828" resolved "https://registry.yarnpkg.com/sqlite/-/sqlite-4.2.1.tgz#d4eedfd1ad702f79110792375f4241a90c75c828"
integrity sha512-Tll0Ndvnwkuv5Hn6WIbh26rZiYQORuH1t5m/or9LUpSmDmmyFG89G9fKrSeugMPxwmEIXoVxqTun4LbizTs4uw== integrity sha512-Tll0Ndvnwkuv5Hn6WIbh26rZiYQORuH1t5m/or9LUpSmDmmyFG89G9fKrSeugMPxwmEIXoVxqTun4LbizTs4uw==
sqlstring-sqlite@^0.1.1:
version "0.1.1"
resolved "https://registry.yarnpkg.com/sqlstring-sqlite/-/sqlstring-sqlite-0.1.1.tgz#c8c61810663f2e59a6b0d737b70a8752bda3a078"
integrity sha512-9CAYUJ0lEUPYJrswqiqdINNSfq3jqWo/bFJ7tufdoNeSK0Fy+d1kFTxjqO9PIqza0Kri+ZtYMfPVf1aZaFOvrQ==
ssri@^8.0.0, ssri@^8.0.1: ssri@^8.0.0, ssri@^8.0.1:
version "8.0.1" version "8.0.1"
resolved "https://registry.yarnpkg.com/ssri/-/ssri-8.0.1.tgz#638e4e439e2ffbd2cd289776d5ca457c4f51a2af" resolved "https://registry.yarnpkg.com/ssri/-/ssri-8.0.1.tgz#638e4e439e2ffbd2cd289776d5ca457c4f51a2af"