lift query key validation out of transformWhere

drew-gross · drew-gross · commit ea0921351159 · 2016-05-18T18:56:47.000-07:00
diff --git a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js
@@ -25,6 +25,7 @@ const storageAdapterAllCollections = mongoAdapter => {
   });
 }
 
+const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token'];
 export class MongoStorageAdapter {
   // Private
   _uri: string;
@@ -187,7 +188,10 @@ export class MongoStorageAdapter {
       if (query.ACL) {
         throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
       }
-      let mongoWhere = transform.transformWhere(className, query, { validate }, schema);
+      if (validate && Object.keys(query).some(restKey => !specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/))) {
+        throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
+      }
+      let mongoWhere = transform.transformWhere(className, query, schema);
       return collection.deleteMany(mongoWhere)
     })
     .then(({ result }) => {
diff --git a/src/Adapters/Storage/Mongo/MongoTransform.js b/src/Adapters/Storage/Mongo/MongoTransform.js
@@ -172,6 +172,11 @@ function transformQueryKeyValue(className, key, value, schema) {
     }
     if (value.some(subQuery => subQuery.ACL)) {
       throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
+      Object.keys(subQuery).forEach(restKey => {
+        if (!specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
+          throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
+        }
+      });
     }
     return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
   case '$and':
@@ -180,6 +185,11 @@ function transformQueryKeyValue(className, key, value, schema) {
     }
     if (value.some(subQuery => subQuery.ACL)) {
       throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
+      Object.keys(subQuery).forEach(restKey => {
+        if (!specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
+          throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
+        }
+      });
     }
     return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
   default:

Original file line number	Diff line number	Diff line change
`@@ -172,6 +172,11 @@ function transformQueryKeyValue(className, key, value, schema) {`
`172`	`172`	`}`
`173`	`173`	`if (value.some(subQuery => subQuery.ACL)) {`
`174`	`174`	`throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');`
	`175`	`+ Object.keys(subQuery).forEach(restKey => {`
	`176`	`+ if (!specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {`
	`177`	+ throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
	`178`	`+ }`
	`179`	`+ });`
`175`	`180`	`}`
`176`	`181`	`return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};`
`177`	`182`	`case '$and':`
`@@ -180,6 +185,11 @@ function transformQueryKeyValue(className, key, value, schema) {`
`180`	`185`	`}`
`181`	`186`	`if (value.some(subQuery => subQuery.ACL)) {`
`182`	`187`	`throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');`
	`188`	`+ Object.keys(subQuery).forEach(restKey => {`
	`189`	`+ if (!specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {`
	`190`	+ throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
	`191`	`+ }`
	`192`	`+ });`
`183`	`193`	`}`
`184`	`194`	`return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};`
`185`	`195`	`default:`