// Creates an Objection query.
// I have no control over the creation of the query. I can only modify the query after it has been created.
// Example: "select `todos`.* from `todos` where `text` = ?"
const objectionQuery = thirdPartyService.createQuery(userControlledInput);
// Adds an access check. Example "select `todos`.* from `todos` where `text` = ? and `userId` = ?"
objectionQuery.andWhere("userId", currentUser.id);
上面的例子有一个安全缺陷。如果ThirdPartyService生成如下查询:
select `todos`.* from `todos` where `text` = ? or `id` = ?
那么在添加访问检查之后,我们将得到以下查询:
select `todos`.* from `todos` where `text` = ? or `id` = ? and `userId` = ?
并且该查询可以返回不属于当前用户的数据。要修复这个bug,我们需要将用户控制的条件括在括号中:
select `todos`.* from `todos` where (`text` = ? or `id` = ?) and `userId` = ?
但是如何使用Object query Builder来实现这一点呢?我想象这样的事情:
const objectionQuery = thirdPartyService.createQuery(userControlledInput);
wrapWhereClauses(objectionQuery);
objectionQuery.andWhere("userId", currentUser.id);
From Docs:通过向任何Where*方法传递函数,可以向查询添加括号:
await objectionQuery
.where('userId', userId)
.where(builder => {
builder.where('text', text).orWhere('id', id);
});
