UNPKG

chanfana

Version:

OpenAPI 3 and 3.1 schema generator and validator for Hono, itty-router and more!

chanfana.pages.dev

cloudflare/chanfana

261 lines (229 loc) 9.09 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
import { ApiException, InputValidationException } from "../../exceptions"; import type { OrderByDirection } from "../../types"; import type { FilterCondition, Filters, Logger } from "../types"; /** * SQL identifier validation regex. * Intentionally restrictive for D1/SQLite — rejects schema-qualified names (e.g., "schema.table") * and quoted identifiers. Only allows alphanumeric characters and underscores. */ const SQL_IDENTIFIER_REGEX = /^[a-zA-Z_][a-zA-Z0-9_]*$/; /** * Valid ORDER BY direction values */ const VALID_ORDER_DIRECTIONS = new Set(["asc", "desc"]); /** * Result from getSafeFilters - contains validated SQL conditions and parameters */ export interface SafeFilters { /** Array of SQL condition strings (e.g., ["id = ?1", "name = ?2"]) */ conditions: string[]; /** Array of parameter values to bind to the prepared statement */ conditionsParams: (string | number | boolean | null)[]; } /** * Validates that a string is a safe SQL identifier (table name, column name). * Prevents SQL injection by only allowing alphanumeric characters and underscores. * * @param identifier - The identifier to validate * @param type - Type of identifier for error message (e.g., "table", "column") * @returns The validated identifier * @throws ApiException if the identifier is invalid */ export function validateSqlIdentifier(identifier: string, type: string): string { if (!identifier || typeof identifier !== "string") { throw new ApiException(`Invalid ${type} name: must be a non-empty string`); } if (!SQL_IDENTIFIER_REGEX.test(identifier)) { throw new ApiException( `Invalid ${type} name "${identifier}": must start with a letter or underscore and contain only alphanumeric characters and underscores`, ); } // Additional length check to prevent excessively long identifiers if (identifier.length > 128) { throw new ApiException(`Invalid ${type} name "${identifier}": exceeds maximum length of 128 characters`); } return identifier; } /** * Validates a table name for safe use in SQL queries. * * @param tableName - The table name to validate * @returns The validated table name * @throws ApiException if the table name is invalid */ export function validateTableName(tableName: string): string { return validateSqlIdentifier(tableName, "table"); } /** * Validates a column name for safe use in SQL queries. * * @param columnName - The column name to validate * @param validColumns - Optional array of valid column names to check against * @returns The validated column name * @throws ApiException if the column name is invalid or not in the valid list */ export function validateColumnName(columnName: string, validColumns?: string[]): string { const validated = validateSqlIdentifier(columnName, "column"); if (validColumns && validColumns.length > 0 && !validColumns.includes(validated)) { throw new ApiException(`Invalid column name "${columnName}": not found in schema`); } return validated; } /** * Validates and normalizes an ORDER BY direction. * * @param direction - The direction string to validate * @returns "asc" or "desc" */ export function validateOrderDirection(direction: string | undefined): OrderByDirection { const normalized = (direction || "asc").toLowerCase().trim(); return VALID_ORDER_DIRECTIONS.has(normalized) ? (normalized as OrderByDirection) : "asc"; } /** * Validates an ORDER BY column against a whitelist of allowed columns. * * @param column - The column name to order by * @param allowedColumns - Array of columns that are allowed for ordering * @param fallbackColumn - Column to use if the provided column is not allowed * @returns The validated column name or fallback */ export function validateOrderByColumn( column: string | undefined, allowedColumns: string[], fallbackColumn: string, ): string { if (!column || typeof column !== "string" || column === "undefined") { return validateColumnName(fallbackColumn); } // Check if column is in the allowed list if (allowedColumns.includes(column)) { return validateColumnName(column); } // Fall back to default return validateColumnName(fallbackColumn); } /** * Builds safe SQL filter conditions from an array of filter conditions. * Validates all column names against the provided schema columns. * * @param filters - Array of filter conditions * @param validColumns - Array of valid column names from the schema * @param startParamIndex - Starting index for parameter placeholders (default: 1) * @returns SafeFilters object with conditions and parameters * @throws ApiException if any column name is invalid or operator is not supported */ export function buildSafeFilters(filters: FilterCondition[], validColumns: string[], startParamIndex = 1): SafeFilters { const conditions: string[] = []; const conditionsParams: (string | number | boolean | null)[] = []; for (const f of filters) { const validatedColumn = validateColumnName(f.field, validColumns); if (f.operator === "EQ") { conditions.push(`${validatedColumn} = ?${startParamIndex + conditionsParams.length}`); conditionsParams.push(f.value); } else { throw new ApiException(`Operator "${f.operator}" is not implemented`); } } return { conditions, conditionsParams }; } /** * Builds safe SQL filter conditions for primary key lookups only. * Filters out any conditions that are not on primary key columns. * * @param filters - Filters object containing filter conditions * @param primaryKeys - Array of primary key column names * @param validColumns - Array of valid column names from the schema * @param startParamIndex - Starting index for parameter placeholders (default: 1) * @returns SafeFilters object with conditions and parameters */ export function buildPrimaryKeyFilters( filters: Filters, primaryKeys: string[], validColumns: string[], startParamIndex = 1, ): SafeFilters { // Filter to only include primary key fields const primaryKeyFilters = filters.filters.filter((f) => primaryKeys.includes(f.field)); if (primaryKeyFilters.length === 0) { throw new ApiException("No primary key filters provided — refusing to execute unscoped query"); } return buildSafeFilters(primaryKeyFilters, validColumns, startParamIndex); } /** * Gets a D1 database binding from the worker environment. * * @param getBindings - Function to get bindings from router args * @param args - Handler arguments * @param dbName - Name of the D1 binding * @returns D1Database instance * @throws ApiException if binding is not defined or is not a D1 binding */ export function getD1Binding( getBindings: (args: any[]) => Record<string, any>, args: any[], dbName: string, ): D1Database { const env = getBindings(args); if (env[dbName] === undefined) { throw new ApiException(`Binding "${dbName}" is not defined in worker`); } if (env[dbName].prepare === undefined) { throw new ApiException(`Binding "${dbName}" is not a D1 binding`); } return env[dbName]; } /** * Handles database errors and maps UNIQUE constraint violations to custom exceptions. * * @param error - The caught error * @param constraintsMessages - Map of constraint names to custom exceptions * @param logger - Optional logger for error tracking * @param operation - Description of the operation for logging * @throws The mapped InputValidationException or a sanitized ApiException */ export function handleDbError( error: Error, constraintsMessages: Record<string, InputValidationException>, logger?: Logger, operation?: string, ): never { if (logger && operation) { logger.error(`Database error during ${operation}: ${error.message}`); } // Handle UNIQUE constraint violations with custom messages if (error.message.includes("UNIQUE constraint failed")) { const match = error.message.match(/UNIQUE constraint failed:\s*([^:]+)/); if (match?.[1]) { const constraintName = match[1].trim(); if (constraintsMessages[constraintName]) { // Clone the exception to avoid sharing mutable state across concurrent requests const template = constraintsMessages[constraintName]; throw new InputValidationException(template.message, template.path); } } } // Sanitize error message - don't expose internal DB details throw new ApiException("Database operation failed"); } /** * Builds a safe WHERE clause from conditions array. * * @param conditions - Array of condition strings * @returns WHERE clause string or empty string if no conditions */ export function buildWhereClause(conditions: string[]): string { if (conditions.length === 0) { return ""; } return `WHERE ${conditions.join(" AND ")}`; } /** * Builds a safe ORDER BY clause. * * @param column - Validated column name * @param direction - Validated direction ("asc" or "desc") * @returns ORDER BY clause string */ export function buildOrderByClause(column: string, direction: OrderByDirection): string { return `ORDER BY ${column} ${direction}`; }