UniqAI/hexabot
1
0
Fork 0
mirror of https://github.com/hexastack/hexabot synced 2025-06-11 08:54:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #78 from Hexastack/77-issue-regular-expression-injection

Browse Source 
fix: escape regular expressions
This commit is contained in:
Mohamed Marrouchi 2024-09-24 14:06:12 +01:00 committed by GitHub
commit e06dfd62de
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/migrations/config/create.ts
View File

@ -11,6 +11,8 @@
import fs from 'fs'; import fs from 'fs';
import path from 'path'; import path from 'path';
import escapeRegExp from 'lodash/escapeRegExp';
// Get the argument passed (e.g., "all-users-fr") // Get the argument passed (e.g., "all-users-fr")
const arg: string | undefined = process.argv[2]; const arg: string | undefined = process.argv[2];
@ -25,7 +27,7 @@ const templatePath: string = path.join(__dirname, '../config/template.ts');
// Check if a migration with the same name (excluding timestamp) already exists // Check if a migration with the same name (excluding timestamp) already exists
const migrationExists: boolean = fs.readdirSync(migrationsDir).some((file) => { const migrationExists: boolean = fs.readdirSync(migrationsDir).some((file) => {
const regex = new RegExp(`^[0-9]+-${arg}\.ts$`); const regex = new RegExp(`^[0-9]+-${escapeRegExp(arg)}\\.ts$`);
return regex.test(file); return regex.test(file);
}); });

7
api/package-lock.json generated
View File

@ -67,6 +67,7 @@
"@types/express": "^4.17.17", "@types/express": "^4.17.17",
"@types/express-session": "^1.17.10", "@types/express-session": "^1.17.10",
"@types/jest": "^29.5.2", "@types/jest": "^29.5.2",
"@types/lodash": "^4.17.9",
"@types/minio": "^7.1.1", "@types/minio": "^7.1.1",
"@types/module-alias": "^2.0.4", "@types/module-alias": "^2.0.4",
"@types/multer": "^1.4.11", "@types/multer": "^1.4.11",
@ -6027,6 +6028,12 @@
"@types/node": "*" "@types/node": "*"
} }
}, },
"node_modules/@types/lodash": {
"version": "4.17.9",
"resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.17.9.tgz",
"integrity": "sha512-w9iWudx1XWOHW5lQRS9iKpK/XuRhnN+0T7HvdCCd802FYkT1AMTnxndJHGrNJwRoRHkslGr4S29tjm1cT7x/7w==",
"dev": true
},
"node_modules/@types/mime": { "node_modules/@types/mime": {
"version": "1.3.5", "version": "1.3.5",
"resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz", "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz",

1
api/package.json
View File

@ -91,6 +91,7 @@
"@types/express": "^4.17.17", "@types/express": "^4.17.17",
"@types/express-session": "^1.17.10", "@types/express-session": "^1.17.10",
"@types/jest": "^29.5.2", "@types/jest": "^29.5.2",
"@types/lodash": "^4.17.9",
"@types/module-alias": "^2.0.4", "@types/module-alias": "^2.0.4",
"@types/multer": "^1.4.11", "@types/multer": "^1.4.11",
"@types/node": "^20.3.1", "@types/node": "^20.3.1",

6
api/src/utils/pipes/search-filter.pipe.ts
View File

@ -13,6 +13,7 @@ import {
ArgumentMetadata, ArgumentMetadata,
Logger, Logger,
} from '@nestjs/common'; } from '@nestjs/common';
import escapeRegExp from 'lodash/escapeRegExp';
import { TFilterQuery, Types } from 'mongoose'; import { TFilterQuery, Types } from 'mongoose';
import { import {
@ -36,9 +37,8 @@ export class SearchFilterPipe<T>
} }
private getRegexValue(val: string) { private getRegexValue(val: string) {
const quote = (str: string) => const escapedRegExp = escapeRegExp(val);
str.replace(/([.?*+^$[\]\\(){}|-])/g, '\\$1'); return new RegExp(escapedRegExp, 'i');
return new RegExp(quote(val), 'i');
} }
private isAllowedField(field: string) { private isAllowedField(field: string) {