fix(nodejs): invalid characters in admin role

cam-inc · Feb 4, 2025 · 739819b · 739819b
1 parent 3cdd393
commit 739819b
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 3 deletions.
diff --git a/example/nodejs/package.json b/example/nodejs/package.json
@@ -5,7 +5,7 @@
   "main": "dist/server.js",
   "dependencies": {
     "@aws-sdk/client-s3": "^3.451.0",
-    "@viron/lib": "2.4.0-alpha.2",
+    "@viron/lib": "2.4.0-alpha.3",
     "accepts": "^1.3.7",
     "compression": "^1.7.4",
     "cookie-parser": "^1.4.5",

diff --git a/packages/nodejs/package.json b/packages/nodejs/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@viron/lib",
-  "version": "2.4.0-alpha.2",
+  "version": "2.4.0-alpha.3",
   "scripts": {
     "build": "npm run clean && tsc --project tsconfig.json && cp -fr src/openapi dist/",
     "clean": "rm -rf dist && rm -f tsconfig.tsbuildinfo",

diff --git a/packages/nodejs/src/domains/adminrole.ts b/packages/nodejs/src/domains/adminrole.ts
@@ -1,5 +1,9 @@
 import { newModel } from 'casbin';
-import { roleIdAlreadyExists, unableToDeleteRole } from '../errors';
+import {
+  roleIdAlreadyExists,
+  unableToDeleteRole,
+  invalidAdminRole,
+} from '../errors';
 import {
   ADMIN_ROLE,
   API_METHOD,
@@ -89,6 +93,25 @@ const sync = async (now = Date.now()): Promise<void> => {
   }
 };
 
+// adminroles(casbin_rule)で不正な文字列チェック
+const validateAdminRole = (obj: AdminRole): void => {
+  console.log('validateAdminRole: ', obj);
+  // obj.idにカンマ、シングルクォート、ダブルクォートが文字列に含まれないことを確認
+  if (/[,'"]/.test(obj.id)) {
+    throw invalidAdminRole();
+  }
+  for (const { resourceId, permission } of obj.permissions) {
+    // resourceIdにカンマ、シングルクォート、ダブルクォートが文字列に含まれないことを確認
+    if (/[,'"]/.test(resourceId)) {
+      throw invalidAdminRole();
+    }
+    // permissionがPermissionに含まれることを確認
+    if (!Object.values(PERMISSION).includes(permission)) {
+      throw invalidAdminRole();
+    }
+  }
+};
+
 // APIメソッドをPermissionに変換
 export const method2Permissions = (method: ApiMethod): Permission[] =>
   permissionMap[method];
@@ -291,6 +314,7 @@ export const listByOas = async (
 
 // 1件作成
 export const createOne = async (obj: AdminRole): Promise<AdminRole> => {
+  validateAdminRole(obj);
   const roleId = obj.id;
   const policies = await listPolicies(roleId);
   if (policies?.length) {
@@ -305,6 +329,7 @@ export const updateOneById = async (
   roleId: string,
   permissions: AdminRolePermissions
 ): Promise<void> => {
+  validateAdminRole({ id: roleId, permissions });
   await updatePermissionsForRole(roleId, permissions);
 };
 

diff --git a/packages/nodejs/src/errors.ts b/packages/nodejs/src/errors.ts
@@ -79,6 +79,10 @@ export const invalidAuthType = (): VironError => {
   return new VironError('Invalid Auth type.', 400);
 };
 
+export const invalidAdminRole = (): VironError => {
+  return new VironError('Invalid Admin role.', 400);
+};
+
 export const unsupportedScope = (): VironError => {
   return new VironError('Unsupported scope.', 500);
 };