flexbiz-server/server/libs/mongooseSecurityPlugin.js

Flexible Server

const mongoose=require("mongoose");
module.exports=function($schema$$){const $schemaPaths$$={};$schema$$.eachPath(($pathname$$,$schemaType$$)=>{$schemaPaths$$[$pathname$$]=$schemaType$$.instance});const $hasIdAppField$$=!!$schema$$.path("id_app"),$isMongoOperatorObject$$=$keys_obj$$=>{if(!$keys_obj$$||typeof $keys_obj$$!=="object"||Array.isArray($keys_obj$$)||$keys_obj$$ instanceof Date||$keys_obj$$._bsontype==="ObjectID")return!1;$keys_obj$$=Object.keys($keys_obj$$);return $keys_obj$$.length===0?!1:$keys_obj$$.every($k$$=>$k$$.startsWith("$"))},
$validateType$$=($key$$,$val$$,$expectedType$$)=>{if($val$$===null||$val$$===void 0)return null;switch($expectedType$$){case "ObjectID":if(typeof $val$$==="string"&&!mongoose.isValidObjectId($val$$))return`Sai \u0111\u1ecbnh d\u1ea1ng ObjectId t\u1ea1i '${$key$$}'`;break;case "String":if(Array.isArray($val$$))return`Sai \u0111\u1ecbnh d\u1ea1ng String t\u1ea1i '${$key$$}' (nh\u1eadn \u0111\u01b0\u1ee3c m\u1ea3ng)`;if(typeof $val$$==="object"&&$val$$!==null&&$val$$._bsontype!=="ObjectID"&&!($val$$ instanceof
Date))return`Sai \u0111\u1ecbnh d\u1ea1ng String t\u1ea1i '${$key$$}' (nh\u1eadn \u0111\u01b0\u1ee3c object r\u00e1c)`;break;case "Number":if(typeof $val$$==="object"||Array.isArray($val$$)||$val$$===""||isNaN(Number($val$$)))return`Sai \u0111\u1ecbnh d\u1ea1ng Number t\u1ea1i '${$key$$}'`;break;case "Boolean":if(typeof $val$$!=="boolean"&&!["true","false","1","0",1,0].includes($val$$))return`Sai \u0111\u1ecbnh d\u1ea1ng Boolean t\u1ea1i '${$key$$}'`;break;case "Date":if(typeof $val$$==="object"&&
!($val$$ instanceof Date))return`Sai \u0111\u1ecbnh d\u1ea1ng Date t\u1ea1i '${$key$$}'`;if(isNaN((new Date($val$$)).getTime()))return`Th\u1eddi gian kh\u00f4ng h\u1ee3p l\u1ec7 t\u1ea1i '${$key$$}'`}return null},$scanFilterForInvalidTypes$$=($filter$$,$prefix$$="")=>{if(!$filter$$||typeof $filter$$!=="object")return null;for(const $key$$ of Object.keys($filter$$)){var $err$jscomp$1_value$$=$filter$$[$key$$];if(["$and","$or","$nor"].includes($key$$)){if(Array.isArray($err$jscomp$1_value$$))for(const $sub$$ of $err$jscomp$1_value$$){var $currentPath_err_err$jscomp$4_err$$=
$scanFilterForInvalidTypes$$($sub$$,"");if($currentPath_err_err$jscomp$4_err$$)return $currentPath_err_err$jscomp$4_err$$}continue}$currentPath_err_err$jscomp$4_err$$=$prefix$$?`${$prefix$$}.${$key$$}`:$key$$;const $expectedType$$=$schemaPaths$$[$currentPath_err_err$jscomp$4_err$$];if($expectedType$$)if(Array.isArray($err$jscomp$1_value$$)){if($expectedType$$!=="Array"){$filter$$[$key$$]={$in:$err$jscomp$1_value$$};for(const $item$$ of $err$jscomp$1_value$$)if($err$jscomp$1_value$$=$validateType$$($currentPath_err_err$jscomp$4_err$$,
$item$$,$expectedType$$))return $err$jscomp$1_value$$}}else if($isMongoOperatorObject$$($err$jscomp$1_value$$))for(const $op$$ of Object.keys($err$jscomp$1_value$$)){var $err$jscomp$2_err$$=$err$jscomp$1_value$$[$op$$];if("$eq $ne $gt $gte $lt $lte".split(" ").includes($op$$)){if($err$jscomp$2_err$$=$validateType$$($currentPath_err_err$jscomp$4_err$$,$err$jscomp$2_err$$,$expectedType$$))return $err$jscomp$2_err$$}else if(["$in","$nin"].includes($op$$)){if(!Array.isArray($err$jscomp$2_err$$))return`To\u00e1n t\u1eed ${$op$$} t\u1ea1i '${$currentPath_err_err$jscomp$4_err$$}' y\u00eau c\u1ea7u m\u1ed9t m\u1ea3ng`;
for(const $item$$ of $err$jscomp$2_err$$)if($err$jscomp$2_err$$=$validateType$$($currentPath_err_err$jscomp$4_err$$,$item$$,$expectedType$$))return $err$jscomp$2_err$$}else if($op$$==="$regex"&&$expectedType$$!=="String")return`To\u00e1n t\u1eed $regex t\u1ea1i '${$currentPath_err_err$jscomp$4_err$$}' ch\u1ec9 d\u00f9ng cho ki\u1ec3u String`}else if(typeof $err$jscomp$1_value$$!=="object"||$err$jscomp$1_value$$===null||$err$jscomp$1_value$$ instanceof Date||$err$jscomp$1_value$$._bsontype==="ObjectID"){if($currentPath_err_err$jscomp$4_err$$=
$validateType$$($currentPath_err_err$jscomp$4_err$$,$err$jscomp$1_value$$,$expectedType$$))return $currentPath_err_err$jscomp$4_err$$}else return`Tr\u01b0\u1eddng '${$currentPath_err_err$jscomp$4_err$$}' (ki\u1ec3u ${$expectedType$$}) nh\u1eadn \u0111\u01b0\u1ee3c Object r\u00e1c kh\u00f4ng h\u1ee3p l\u1ec7`;else if(typeof $err$jscomp$1_value$$==="object"&&$err$jscomp$1_value$$!==null&&!$isMongoOperatorObject$$($err$jscomp$1_value$$)&&!Array.isArray($err$jscomp$1_value$$)&&($currentPath_err_err$jscomp$4_err$$=
$scanFilterForInvalidTypes$$($err$jscomp$1_value$$,$currentPath_err_err$jscomp$4_err$$)))return $currentPath_err_err$jscomp$4_err$$}return null},$hasIdAppInFilter$$=$filter$$=>{if(!$filter$$||typeof $filter$$!=="object")return!1;if(Object.hasOwn($filter$$,"id_app"))return!0;for(const $key$$ of Object.keys($filter$$))if(["$and","$or","$nor"].includes($key$$)&&Array.isArray($filter$$[$key$$])&&$filter$$[$key$$].some($sub$$=>$hasIdAppInFilter$$($sub$$)))return!0;return!1};"find findOne findOneAndUpdate findOneAndDelete findOneAndRemove update updateOne updateMany deleteOne deleteMany count countDocuments".split(" ").forEach($method$$=>
{$schema$$.pre($method$$,function($next$$){var $errorMessage$jscomp$1_filter$$=this.getFilter();Object.keys($errorMessage$jscomp$1_filter$$).length===0&&["updateMany","deleteMany","update"].includes($method$$)&&Logger.warn(`[DANGER WARN] L\u1ec7nh '${$method$$}' c\u00f3 filter r\u1ed7ng tr\u00ean Model '${this.model.modelName}'!`);var $errorMessage_modelName$$=$scanFilterForInvalidTypes$$($errorMessage$jscomp$1_filter$$);if($errorMessage_modelName$$)return Logger.warn(`[Security Warn] ${$errorMessage_modelName$$} tr\u00ean Model '${this.model.modelName}'. \u0110\u00e3 \u00e9p query tr\u1ea3 v\u1ec1 r\u1ed7ng. Filter: ${JSON.stringify($errorMessage$jscomp$1_filter$$)}`),
this.setQuery({_id:{$in:[]}}),$next$$();this.setQuery($errorMessage$jscomp$1_filter$$);$hasIdAppField$$&&Object.keys($errorMessage$jscomp$1_filter$$).length>0&&!$errorMessage$jscomp$1_filter$$._id&&!$hasIdAppInFilter$$($errorMessage$jscomp$1_filter$$)&&($errorMessage_modelName$$=this.model?this.model.modelName:"UnknownModel",$errorMessage$jscomp$1_filter$$.id_ct||["sys_job_queue_book_keeping","participant","cache","parameter"].indexOf($errorMessage_modelName$$)>=0?($errorMessage$jscomp$1_filter$$=
`[SECURITY WARN] Query tr\u00ean Model '${$errorMessage_modelName$$}' \u0111ang thi\u1ebfu \u0111i\u1ec1u ki\u1ec7n 'id_app'! \u0110i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 g\u00e2y l\u1ecdt d\u1eef li\u1ec7u ch\u00e9o. Filter: ${JSON.stringify($errorMessage$jscomp$1_filter$$)}`,Logger.warn($errorMessage$jscomp$1_filter$$)):($errorMessage$jscomp$1_filter$$=`[SECURITY ERROR] Query tr\u00ean Model '${$errorMessage_modelName$$}' \u0111ang thi\u1ebfu \u0111i\u1ec1u ki\u1ec7n 'id_app'! \u0110i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 g\u00e2y l\u1ecdt d\u1eef li\u1ec7u ch\u00e9o. Filter: ${JSON.stringify($errorMessage$jscomp$1_filter$$)}`,
Logger.error($errorMessage$jscomp$1_filter$$)));$next$$()})})};