import "reflect-metadata"; import {closeTestingConnections, createTestingConnections, reloadTestingDatabases} from "../../utils/test-utils"; import {Connection} from "../../../src"; import {Post} from "./entity/Post"; import {expect} from "chai"; describe("other issues > preventing-injection", () => { let connections: Connection[]; before(async () => connections = await createTestingConnections({ entities: [__dirname + "/entity/*{.js,.ts}"], })); beforeEach(() => reloadTestingDatabases(connections)); after(() => closeTestingConnections(connections)); it("should not allow selection of non-exist columns via FindOptions", () => Promise.all(connections.map(async function(connection) { const post = new Post(); post.title = "hello"; await connection.manager.save(post); const postWithOnlyIdSelected = await connection.manager.find(Post, { select: ["id"] }); postWithOnlyIdSelected.should.be.eql([{ id: 1 }]); await connection.manager.find(Post, { select: ["(WHERE LIMIT 1)" as any] }).should.be.rejected; }))); it("should skip non-exist columns in where expression via FindOptions", () => Promise.all(connections.map(async function(connection) { const post = new Post(); post.title = "hello"; await connection.manager.save(post); const postWithOnlyIdSelected = await connection.manager.find(Post, { where: { title: "hello" } }); postWithOnlyIdSelected.should.be.eql([{ id: 1, title: "hello" }]); const loadedPosts = await connection.manager.find(Post, { where: { id: 2, ["(WHERE LIMIT 1)"]: "hello" } }); loadedPosts.should.be.eql([]); }))); it("should not allow selection of non-exist columns via FindOptions", () => Promise.all(connections.map(async function(connection) { const post = new Post(); post.title = "hello"; await connection.manager.save(post); const loadedPosts = await connection.manager.find(Post, { order: { title: "DESC" } }); loadedPosts.should.be.eql([{ id: 1, title: "hello" }]); await connection.manager.find(Post, { order: { ["(WHERE LIMIT 1)" as any]: "DESC" } }).should.be.rejected; }))); it("should not allow non-numeric values in skip and take via FindOptions", () => Promise.all(connections.map(async function(connection) { await connection.manager.find(Post, { take: "(WHERE XXX)" as any }).should.be.rejected; await connection.manager.find(Post, { skip: "(WHERE LIMIT 1)" as any, take: "(WHERE XXX)" as any, }).should.be.rejected; }))); it("should not allow non-numeric values in skip and take in QueryBuilder", () => Promise.all(connections.map(async function(connection) { expect(() => { connection.manager .createQueryBuilder(Post, "post") .take("(WHERE XXX)" as any); }).to.throw(Error); expect(() => { connection.manager .createQueryBuilder(Post, "post") .skip("(WHERE LIMIT 1)" as any); }).to.throw(Error); }))); it("should not allow non-allowed values in order by in QueryBuilder", () => Promise.all(connections.map(async function(connection) { expect(() => { connection.manager .createQueryBuilder(Post, "post") .orderBy("post.id", "MIX" as any); }).to.throw(Error); expect(() => { connection.manager .createQueryBuilder(Post, "post") .orderBy("post.id", "DESC", "SOMETHING LAST" as any); }).to.throw(Error); }))); });