fix: secure sql queries generated by leaderboard stats (#611)

Author: ghusse

src/services/leaderboard-stat-getter.js

@@ -1,11 +1,31 @@
 import _ from 'lodash';
 import { Schemas } from 'forest-express';
 import Orm from '../utils/orm';
+import { InvalidParameterError } from './errors';
 
+function getAggregateField({
+  aggregateField, schemaRelationship, modelRelationship,
+}) {
+  // NOTICE: As MySQL cannot support COUNT(table_name.*) syntax, fieldName cannot be '*'.
+  const fieldName = aggregateField
+    || schemaRelationship.primaryKeys[0]
+    || schemaRelationship.fields[0].field;
+  return `${modelRelationship.name}.${Orm.getColumnName(schemaRelationship, fieldName)}`;
+}
+
+/**
+ * @param {import('sequelize').Model} model
+ * @param {import('sequelize').Model} modelRelationship
+ * @param {{
+ *  label_field: string;
+ *  aggregate: string;
+ *  aggregate_field: string;
+ * }} params
+ * @param {*} options
+ */
 function LeaderboardStatGetter(model, modelRelationship, params, options) {
   const labelField = params.label_field;
   const aggregate = params.aggregate.toUpperCase();
-  const aggregateField = params.aggregate_field;
   const { limit } = params;
   const schema = Schemas.schemas[model.name];
   const schemaRelationship = Schemas.schemas[modelRelationship.name];
@@ -15,50 +35,52 @@ function LeaderboardStatGetter(model, modelRelationship, params, options) {
     (association) => association.target.name === model.name,
   );
 
-  if (associationFound && associationFound.as) {
-    associationAs = associationFound.as;
-  }
-
-  const groupBy = `"${associationAs}"."${labelField}"`;
+  const aggregateField = getAggregateField({
+    aggregateField: params.aggregate_field,
+    schemaRelationship,
+    modelRelationship,
+  });
 
-  function getAggregateField() {
-    // NOTICE: As MySQL cannot support COUNT(table_name.*) syntax, fieldName cannot be '*'.
-    const fieldName = aggregateField
-      || schemaRelationship.primaryKeys[0]
-      || schemaRelationship.fields[0].field;
-    return `"${modelRelationship.tableName}"."${Orm.getColumnName(schema, fieldName)}"`;
+  if (!associationFound) {
+    throw new InvalidParameterError(`Association ${model.name} not found`);
   }
 
-  let joinQuery;
-  if (associationFound.associationType === 'BelongsToMany') {
-    const joinTableName = associationFound.through.model.tableName;
-    joinQuery = `INNER JOIN "${joinTableName}"
-        ON "${modelRelationship.tableName}"."${associationFound.sourceKeyField}" = "${joinTableName}"."${associationFound.foreignKey}"
-      INNER JOIN "${model.tableName}" AS "${associationAs}"
-        ON "${associationAs}"."${associationFound.targetKeyField}" = "${joinTableName}"."${associationFound.otherKey}"
-    `;
-  } else {
-    const foreignKeyField = associationFound.source
-      .rawAttributes[associationFound.foreignKey].field;
-    joinQuery = `INNER JOIN "${model.tableName}" AS "${associationAs}"
-        ON "${associationAs}"."${associationFound.targetKeyField}" = "${modelRelationship.tableName}"."${foreignKeyField}"
-    `;
+  if (associationFound.as) {
+    associationAs = associationFound.as;
   }
 
-  const query = `
-    SELECT ${aggregate}(${getAggregateField()}) as "value", ${groupBy} as "key"
-    FROM "${modelRelationship.tableName}"
-    ${joinQuery}
-    GROUP BY ${groupBy}
-    ORDER BY "value" DESC
-    LIMIT ${limit}
-  `;
+  const labelColumn = Orm.getColumnName(schema, labelField);
+  const groupBy = `${associationAs}.${labelColumn}`;
 
+  this.perform = async () => {
+    const records = await modelRelationship
+      .unscoped()
+      .findAll({
+        attributes: [
+          [options.sequelize.col(groupBy), 'key'],
+          [options.sequelize.fn(aggregate, options.sequelize.col(aggregateField)), 'value'],
+        ],
+        includeIgnoreAttributes: false,
+        include: [{
+          model,
+          attributes: [labelField],
+          as: associationAs,
+          required: true,
+        }],
+        subQuery: false,
+        group: groupBy,
+        order: [[options.sequelize.literal('value'), 'DESC']],
+        limit,
+        raw: true,
+      });
 
-  this.perform = () => options.connections[0].query(query, {
-    type: model.sequelize.QueryTypes.SELECT,
-  })
-    .then((records) => ({ value: records }));
+    return {
+      value: records.map((data) => ({
+        key: data.key,
+        value: Number(data.value),
+      })),
+    };
+  };
 }
 
 module.exports = LeaderboardStatGetter;

test/databases.js

@@ -1,7 +1,9 @@
 const Sequelize = require('sequelize');
 
+/** @typedef {ConnectionManager} ConnectionManager */
 class ConnectionManager {
-  constructor(connectionString) {
+  constructor(dialect, connectionString) {
+    this.dialect = dialect;
     this.connectionString = connectionString;
     this.databaseOptions = {
       logging: false,
@@ -11,13 +13,16 @@ class ConnectionManager {
   }
 
   getDialect() {
-    return this.connection && this.connection.options && this.connection.options.dialect;
+    return this.dialect;
   }
 
   getPort() {
     return this.connection && this.connection.options && this.connection.options.port;
   }
 
+  /**
+   * @returns {import('sequelize').Sequelize}
+   */
   createConnection() {
     if (!this.connection) {
       this.connection = new Sequelize(this.connectionString, this.databaseOptions);
@@ -33,8 +38,11 @@ class ConnectionManager {
   }
 }
 
+/**
+ * @type {Record<string, ConnectionManager>}
+ */
 module.exports = {
-  sequelizePostgres: new ConnectionManager('postgres://forest:secret@localhost:5436/forest-express-sequelize-test'),
-  sequelizeMySQLMin: new ConnectionManager('mysql://forest:secret@localhost:8998/forest-express-sequelize-test'),
-  sequelizeMySQLMax: new ConnectionManager('mysql://forest:secret@localhost:8999/forest-express-sequelize-test'),
+  sequelizePostgres: new ConnectionManager('Postgresql 9.4', 'postgres://forest:secret@localhost:5436/forest-express-sequelize-test'),
+  sequelizeMySQLMin: new ConnectionManager('MySQL 5.6', 'mysql://forest:secret@localhost:8998/forest-express-sequelize-test'),
+  sequelizeMySQLMax: new ConnectionManager('MySQL 8.0', 'mysql://forest:secret@localhost:8999/forest-express-sequelize-test'),
 };

test/fixtures/leaderboard-stat-getter.json

@@ -0,0 +1,53 @@
+[{
+  "model": "theVendors",
+  "data": {
+    "id": 100,
+    "firstName": "Alice",
+    "lastName": "Doe"
+  }
+},{
+  "model": "theVendors",
+  "data": {
+    "id": 101,
+    "firstName": "Bob",
+    "lastName": "Doe"
+  }
+},{
+  "model": "theCustomers",
+  "data": {
+    "id": 100,
+    "name": "big customer",
+    "objectiveScore": 5
+  }
+},{
+  "model": "theCustomers",
+  "data": {
+    "id": 101,
+    "name": "small customer",
+    "objectiveScore": 1
+  }
+},{
+  "model": "theirSales",
+  "data": {
+    "id": 100,
+    "vendorId": 100,
+    "customerId": 100,
+    "sellingAmount": 100
+  }
+},{
+  "model": "theirSales",
+  "data": {
+    "id": 101,
+    "vendorId": 101,
+    "customerId": 100,
+    "sellingAmount": 200
+  }
+},{
+  "model": "theirSales",
+  "data": {
+    "id": 102,
+    "vendorId": 100,
+    "customerId": 101,
+    "sellingAmount": 150
+  }
+}]

test/helpers/run-with-connection.js

@@ -0,0 +1,13 @@
+/**
+ * @param {import("../databases").ConnectionManager} connectionManager
+ * @param {(connection: import("sequelize").Sequelize) => Promise<void>} testCallback
+ */
+async function runWithConnection(connectionManager, testCallback) {
+  try {
+    await testCallback(connectionManager.createConnection());
+  } finally {
+    connectionManager.closeConnection();
+  }
+}
+
+module.exports = runWithConnection;