added extra validations in case of id pattern validator misuse

2024-11-19 15:59:59 +02:00 · 2024-11-19 15:59:59 +02:00 · 48328bf33f
parent 52e85a8036
commit 48328bf33f
3 changed files with 103 additions and 11 deletions
--- a/core/field_file.go
+++ b/core/field_file.go
@ -391,7 +391,7 @@ func (f *FileField) Intercept(
 }
 func (f *FileField) getLatestOldValue(app App, record *Record) any {
 	if !record.IsNew() {
-		latestOriginal, err := app.FindRecordById(record.Collection(), record.Id)
+		latestOriginal, err := app.FindRecordById(record.Collection(), record.Original().Id)
 		if err == nil {
 			return latestOriginal.GetRaw(f.Name)
 		}
--- a/core/field_text.go
+++ b/core/field_text.go
@ -2,10 +2,14 @@ package core

 import (
 	"context"
+	"database/sql"
+	"errors"
 	"fmt"
 	"regexp"
+	"strings"

 	validation "github.com/go-ozzo/ozzo-validation/v4"
+	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core/validators"
 	"github.com/pocketbase/pocketbase/tools/security"
 	"github.com/spf13/cast"
@ -151,6 +155,8 @@ func (f *TextField) PrepareValue(record *Record, raw any) (any, error) {
 	return cast.ToString(raw), nil
 }

+var forbiddenPKChars = []string{"/", "\\"}
+
 // ValidateValue implements [Field.ValidateValue] interface method.
 func (f *TextField) ValidateValue(ctx context.Context, app App, record *Record) error {
 	newVal, ok := record.GetRaw(f.Name).(string)
@ -158,14 +164,42 @@ func (f *TextField) ValidateValue(ctx context.Context, app App, record *Record)
 		return validators.ErrUnsupportedValueType
 	}

+	if f.PrimaryKey {
 		// disallow PK change
-	if f.PrimaryKey && !record.IsNew() {
+		if !record.IsNew() {
 			oldVal := record.LastSavedPK()
 			if oldVal != newVal {
 				return validation.NewError("validation_pk_change", "The record primary key cannot be changed.")
 			}
 			if oldVal != "" {
-			return nil // no need to further validate since the id can't be updated anyway
+				// no need to further validate because the id can't be updated
+				// and because the id could have been inserted manually by migration from another system
+				// that may not comply with the user defined PocketBase validations
+				return nil
+			}
+		} else {
+			// disallow PK special characters no matter of the Pattern validator to minimize
+			// side-effects when the primary key is used for example in a directory path
+			for _, c := range forbiddenPKChars {
+				if strings.Contains(newVal, c) {
+					return validation.NewError("validation_pk_forbidden", "The record primary key contains forbidden characters.").
+						SetParams(map[string]any{"forbidden": c})
+				}
+			}
+
+			// this technically shouldn't be necessarily but again to
+			// prevent minimize misuse of the Pattern validator that could
+			// cause side-effects on some platforms check for duplicates in a case-insensitive manner
+			var exists bool
+			err := app.DB().
+				Select("(1)").
+				From(record.TableName()).
+				Where(dbx.NewExp("LOWER(id) = {:id}", dbx.Params{"id": strings.ToLower(newVal)})).
+				Limit(1).
+				Row(&exists)
+			if exists || (err != nil && !errors.Is(err, sql.ErrNoRows)) {
+				return validation.NewError("validation_pk_invalid", "The record primary key is invalid or already exists.")
+			}
 		}
 	}

--- a/core/field_text_test.go
+++ b/core/field_text_test.go
@ -68,7 +68,15 @@ func TestTextFieldValidateValue(t *testing.T) {
 	app, _ := tests.NewTestApp()
 	defer app.Cleanup()

-	collection := core.NewBaseCollection("test_collection")
+	collection, err := app.FindCollectionByNameOrId("demo1")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	existingRecord, err := app.FindFirstRecordByFilter(collection, "id != ''")
+	if err != nil {
+		t.Fatal(err)
+	}

 	scenarios := []struct {
 		name        string
@ -116,6 +124,46 @@ func TestTextFieldValidateValue(t *testing.T) {
 			},
 			false,
 		},
+		{
+			"special forbidden character / (non-primaryKey)",
+			&core.TextField{Name: "test", PrimaryKey: false},
+			func() *core.Record {
+				record := core.NewRecord(collection)
+				record.SetRaw("test", "/")
+				return record
+			},
+			false,
+		},
+		{
+			"special forbidden character \\ (non-primaryKey)",
+			&core.TextField{Name: "test", PrimaryKey: false},
+			func() *core.Record {
+				record := core.NewRecord(collection)
+				record.SetRaw("test", "\\")
+				return record
+			},
+			false,
+		},
+		{
+			"special forbidden character / (primaryKey)",
+			&core.TextField{Name: "test", PrimaryKey: true},
+			func() *core.Record {
+				record := core.NewRecord(collection)
+				record.SetRaw("test", "/")
+				return record
+			},
+			true,
+		},
+		{
+			"special forbidden character \\ (primaryKey)",
+			&core.TextField{Name: "test", PrimaryKey: true},
+			func() *core.Record {
+				record := core.NewRecord(collection)
+				record.SetRaw("test", "\\")
+				return record
+			},
+			true,
+		},
 		{
 			"zero field value (primaryKey)",
 			&core.TextField{Name: "test", PrimaryKey: true},
@ -131,11 +179,21 @@ func TestTextFieldValidateValue(t *testing.T) {
 			&core.TextField{Name: "test", PrimaryKey: true},
 			func() *core.Record {
 				record := core.NewRecord(collection)
-				record.SetRaw("test", "abc")
+				record.SetRaw("test", "abcd")
 				return record
 			},
 			false,
 		},
+		{
+			"case-insensitive duplicated primary key check",
+			&core.TextField{Name: "test", PrimaryKey: true},
+			func() *core.Record {
+				record := core.NewRecord(collection)
+				record.SetRaw("test", strings.ToUpper(existingRecord.Id))
+				return record
+			},
+			true,
+		},
 		{
 			"< min",
 			&core.TextField{Name: "test", Min: 4},