fixed SQL injection bug and changed type boolean from bit to tinyint

PrivateSky · Apr 10, 2017 · 954425f · 954425f
1 parent f4fea87
commit 954425f
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 30 deletions.
diff --git a/db/sql/MySqlPersistence.js b/db/sql/MySqlPersistence.js
@@ -21,14 +21,13 @@ function sqlPersistenceStrategy(mysqlPool) {
 
             var validModel = true;
             var model = new modelUtil.ModelDescription(typeName,description,self);
-
+            
             tableStructure[0].forEach(function(column){
-                column['Type'] = column['Type'].split('(')[0];   //ignore size specifications such as INT(10)
+                column['Type'] = column['Type'].split('(')[0];   //ignore size specifications such as INT(10) ... not neccesarily reccomender
             });
 
             model.persistentProperties.some(function(modelProperty){
                 var expectedDbType = self.getDatabaseType(model.getFieldType(modelProperty));
-
                 if(expectedDbType === undefined){
                     validModel = false;
                     return true;
@@ -97,8 +96,7 @@ function sqlPersistenceStrategy(mysqlPool) {
                 callback(err);
             }else{
                 var model = modelUtil.getModel(typeName);
-
-                var deserialized_id = modelUtil.deserialiseField(typeName,model.getPKField(),serialized_id,self)
+                var deserialized_id = modelUtil.deserialiseField(typeName,model.getPKField(),serialized_id,self);
                 var retObj = createRawObject(typeName, deserialized_id);
                 if (result.length>0) {
                     modelUtil.load(retObj, result[0], self);

diff --git a/db/sql/mysqlUtils.js b/db/sql/mysqlUtils.js
@@ -2,7 +2,7 @@
  * Created by ctalmacel on 12/21/15.
  */
 
-
+var mysql = require('mysql');
 var Q = require('q');
 var modelUtil = require("../../lib/ModelDescription.js");
 
@@ -58,14 +58,7 @@ exports.insertRow = function(tableName,serializedData){
 
 
     for(var field in serializedData){
-
-        if(model.getFieldDescription(field).type === 'boolean') {
-            query+=' b\''+serializedData[field]+'\',';
-        }else{
-            query+=' \''+serializedData[field]+'\',';
-        }
-
-
+        query+= mysql.escape(serializedData[field])+',';
     }
     query = query.slice(0, -1);
     query+=');';

diff --git a/lib/BasicStrategy.js b/lib/BasicStrategy.js
@@ -14,7 +14,7 @@ function BasicStrategy(){
         if(dbType !== undefined) {
 
             if(dbType.indexOf(')') != -1){
-                dbType = dbType.slice(dbType.indexOf('('));
+                dbType = dbType.slice(0,dbType.indexOf('('));
             }
             typeToDbTypeCorrespondence[typeName] = dbType;
             dbTypeToTypeCorrespondence[dbType] = typeName;

diff --git a/lib/ModelDescription.js b/lib/ModelDescription.js
@@ -132,7 +132,6 @@ function ModelDescription(typeName, description, strategy){
 
         // throw erros if trying to access lazy fields that are not loaded or setting fields #this is not OOP:)
         self.transientProperties.forEach(function(field){
-
             Object.defineProperty(res,field,{
                 get:function(field){
                     return null;
@@ -249,7 +248,7 @@ exports.load = function( rawObject, from , strategy){
     var rawModel = models[rawObject.__meta.typeName];
     var props = rawModel.persistentProperties;
     props.forEach(function(p){
-        if(from[p] || from[p]===false) {
+        if(from.hasOwnProperty(p)) {
             var value = convertFrom(strategy, rawObject.__meta.typeName, p, from[p]);
             rawObject[p] = value;
             rawObject.__meta.savedValues[p] = value;

diff --git a/lib/basicSQLTypes.js b/lib/basicSQLTypes.js
@@ -45,23 +45,22 @@ exports.registerTypeConverters = function(persistence){
 
     persistence.registerConverter('boolean',
         function(value){
-
-            if(value[0] != '0') {
+            if(value == 1) {
                 return true;
             }
             else {
                 return false;
             }
         },
         function(value){
-            if(value){
-                return "1"
+            if(value == true){
+                return 1
             }
             else{
-                return "0"
+                return 0
             }
         },
-        "bit"
+        "tinyint(1)"
     );
 
     persistence.registerConverter('date',
@@ -100,12 +99,6 @@ exports.registerTypeConverters = function(persistence){
             if(arrayOfStuff == "null"){
                 return null;
             }
-            if(arrayOfStuff.length>0&&arrayOfStuff[0].__meta){
-                //the array is of lazy objects and was filled
-                arrayOfStuff = arrayOfStuff.map(function(lazyLoadedObject){
-                    return lazyLoadedObject.__meta.getPK()
-                })
-            }
 
             return JSON.stringify(arrayOfStuff)
         },

diff --git a/test/fillLazyTest.js b/test/fillLazyTest.js
@@ -109,7 +109,7 @@ assert.steps("Load lazy objects test",[
                 });
             })
         })
-    }]);
+    }],1000);