From a003f631e741abe81c581598df1aaa7b1f551ed1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-L=C3=A9o=20Bourbonnais?= Date: Thu, 14 Mar 2024 13:41:07 -0400 Subject: [PATCH] accept validateParams audits in filter --- .../src/models/interviews.db.queries.ts | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/packages/evolution-backend/src/models/interviews.db.queries.ts b/packages/evolution-backend/src/models/interviews.db.queries.ts index eeb6d1270..09be576ff 100644 --- a/packages/evolution-backend/src/models/interviews.db.queries.ts +++ b/packages/evolution-backend/src/models/interviews.db.queries.ts @@ -376,12 +376,18 @@ const getRawWhereClause = ( ): string | [string, string | boolean | number] | undefined => { // Make sure the field is a legitimate field to avoid sql injection. Field // is either the name of a field, or a dot-separated path in a json object - // of the 'responses' field. We should not accept anything else. + // of the 'responses' field, or an audit name for validateParams, + // which includes "-" and ":". We should not accept anything else. // TODO Once the individual surveys are typed and the expected // responses are known in advance, try to completely type the responses // object and make sure the field here matches an actual path - const dotSeparatedStringRegex = /^[\w\.]*$/g; - const match = field.match(dotSeparatedStringRegex); + let regex: RegExp; + if (field === 'audits') { + regex = /^[\w\:\-\.]*$/g; + } else { + regex = /^[\w\.]*$/g; + } + const match = field.match(regex); if (match === null) { throw new TrError( `Invalid field for where clause in ${tableName} database`, @@ -430,7 +436,7 @@ const getRawWhereClause = ( if (typeof filter.value !== 'string') { return undefined; } - const match = filter.value.match(dotSeparatedStringRegex); + const match = filter.value.match(regex); if (match === null) { throw new TrError( `Invalid value for where clause in ${tableName} database`,