fix: field with read-deny can be used to filter due to a prisma bug (#1728)

ymc9 · web-flow · commit b8d890293e93 · 2024-09-22T17:49:19.000-07:00
diff --git a/packages/runtime/src/enhancements/node/policy/policy-utils.ts b/packages/runtime/src/enhancements/node/policy/policy-utils.ts
@@ -608,13 +608,13 @@ export class PolicyUtil extends QueryUtils {
             //   to-one: direct-conditions/is/isNot
             //   regular fields
             const mergedGuard = this.buildReadGuardForFields(db, model, args.where, {});
-            this.mergeWhereClause(args.where, mergedGuard);
+            args.where = this.mergeWhereClause(args.where, mergedGuard);
         }
 
         if (args.where) {
             if (injected.where && Object.keys(injected.where).length > 0) {
                 // merge injected guard with the user-provided where clause
-                this.mergeWhereClause(args.where, injected.where);
+                args.where = this.mergeWhereClause(args.where, injected.where);
             }
         } else if (injected.where) {
             // no user-provided where clause, use the injected one
@@ -630,7 +630,7 @@ export class PolicyUtil extends QueryUtils {
             if (!args.where) {
                 args.where = this.and(...hoistedConditions);
             } else {
-                this.mergeWhereClause(args.where, this.and(...hoistedConditions));
+                args.where = this.mergeWhereClause(args.where, this.and(...hoistedConditions));
             }
         }
 
@@ -1552,7 +1552,11 @@ export class PolicyUtil extends QueryUtils {
         }
 
         if (this.isTrue(extra)) {
-            return;
+            return where;
+        }
+
+        if (this.isFalse(extra)) {
+            return this.makeFalse();
         }
 
         // instead of simply wrapping with AND, we preserve the structure
@@ -1565,10 +1569,10 @@ export class PolicyUtil extends QueryUtils {
             const combined: any = this.and(...conditions);
 
             // make sure the merging always goes under AND
-            where.AND = combined.AND ?? combined;
+            return { ...where, AND: combined.AND ?? combined };
         } else {
             // insert an AND clause
-            where.AND = [extra];
+            return { ...where, AND: [extra] };
         }
     }
 
diff --git a/tests/integration/tests/enhancements/with-password/with-password.test.ts b/tests/integration/tests/enhancements/with-password/with-password.test.ts
@@ -93,4 +93,36 @@ describe('Password test', () => {
             })
         ).toBeRejectedByPolicy(['must start with "abc" at "password"']);
     });
+
+    it('prevents query enumeration if password is not readable', async () => {
+        const { prisma, enhance } = await loadSchema(
+            `
+            model User {
+                id       Int    @id @default(autoincrement())
+                email    String @unique
+                password String @password @omit @deny('read', true)
+                @@allow('all', true)
+            }
+            `
+        );
+
+        const db = enhance();
+
+        const user = await db.user.create({
+            data: {
+                email: 'alice@abc.com',
+                password: '123456',
+            },
+        });
+        expect(user.password).toBeUndefined();
+
+        const u = await prisma.user.findFirstOrThrow();
+
+        await expect(db.user.findFirst({ where: { password: u.password } })).toResolveNull();
+        await expect(
+            db.user.findFirst({
+                where: { password: { startsWith: u?.password.substring(0, 3) } },
+            })
+        ).toResolveNull();
+    });
 });

Original file line number	Diff line number	Diff line change
`@@ -608,13 +608,13 @@ export class PolicyUtil extends QueryUtils {`
`608`	`608`	`// to-one: direct-conditions/is/isNot`
`609`	`609`	`// regular fields`
`610`	`610`	`const mergedGuard = this.buildReadGuardForFields(db, model, args.where, {});`
`611`		`- this.mergeWhereClause(args.where, mergedGuard);`
	`611`	`+ args.where = this.mergeWhereClause(args.where, mergedGuard);`
`612`	`612`	`}`
`613`	`613`
`614`	`614`	`if (args.where) {`
`615`	`615`	`if (injected.where && Object.keys(injected.where).length > 0) {`
`616`	`616`	`// merge injected guard with the user-provided where clause`
`617`		`- this.mergeWhereClause(args.where, injected.where);`
	`617`	`+ args.where = this.mergeWhereClause(args.where, injected.where);`
`618`	`618`	`}`
`619`	`619`	`} else if (injected.where) {`
`620`	`620`	`// no user-provided where clause, use the injected one`
`@@ -630,7 +630,7 @@ export class PolicyUtil extends QueryUtils {`
`630`	`630`	`if (!args.where) {`
`631`	`631`	`args.where = this.and(...hoistedConditions);`
`632`	`632`	`} else {`
`633`		`- this.mergeWhereClause(args.where, this.and(...hoistedConditions));`
	`633`	`+ args.where = this.mergeWhereClause(args.where, this.and(...hoistedConditions));`
`634`	`634`	`}`
`635`	`635`	`}`
`636`	`636`
`@@ -1552,7 +1552,11 @@ export class PolicyUtil extends QueryUtils {`
`1552`	`1552`	`}`
`1553`	`1553`
`1554`	`1554`	`if (this.isTrue(extra)) {`
`1555`		`- return;`
	`1555`	`+ return where;`
	`1556`	`+ }`
	`1557`	`+`
	`1558`	`+ if (this.isFalse(extra)) {`
	`1559`	`+ return this.makeFalse();`
`1556`	`1560`	`}`
`1557`	`1561`
`1558`	`1562`	`// instead of simply wrapping with AND, we preserve the structure`
`@@ -1565,10 +1569,10 @@ export class PolicyUtil extends QueryUtils {`
`1565`	`1569`	`const combined: any = this.and(...conditions);`
`1566`	`1570`
`1567`	`1571`	`// make sure the merging always goes under AND`
`1568`		`- where.AND = combined.AND ?? combined;`
	`1572`	`+ return { ...where, AND: combined.AND ?? combined };`
`1569`	`1573`	`} else {`
`1570`	`1574`	`// insert an AND clause`
`1571`		`- where.AND = [extra];`
	`1575`	`+ return { ...where, AND: [extra] };`
`1572`	`1576`	`}`
`1573`	`1577`	`}`
`1574`	`1578`