Fix share URL permissions. (#1745)

* Fix share URL permissions. * Add sql param logic. * Add permissions to edit website. * Update permissions. * Move parameters to param injection. * Sanitize eventdata. * Remove caret. * Fix avg.
2023-01-18 15:09:49 -08:00 · 2023-01-18 15:09:49 -08:00 · 922c3acab3
parent 558ce268a0
commit 922c3acab3
16 changed files with 139 additions and 79 deletions
--- a/components/layout/Header.js
+++ b/components/layout/Header.js
@ -29,21 +29,24 @@ export default function Header() {
          <Icon icon={<Logo />} size="large" className={styles.logo} />
          <Link href={isSharePage ? HOMEPAGE_URL : '/'}>umami</Link>
        </div>
-        <HamburgerButton />
+
        {user && (
-          <div className={styles.links}>
-            <Link href="/dashboard">
-              <FormattedMessage id="label.dashboard" defaultMessage="Dashboard" />
-            </Link>
-            <Link href="/realtime">
-              <FormattedMessage id="label.realtime" defaultMessage="Realtime" />
-            </Link>
-            {!process.env.isCloudMode && (
-              <Link href="/settings">
-                <FormattedMessage id="label.settings" defaultMessage="Settings" />
+          <>
+            <HamburgerButton />
+            <div className={styles.links}>
+              <Link href="/dashboard">
+                <FormattedMessage id="label.dashboard" defaultMessage="Dashboard" />
              </Link>
-            )}
-          </div>
+              <Link href="/realtime">
+                <FormattedMessage id="label.realtime" defaultMessage="Realtime" />
+              </Link>
+              {!process.env.isCloudMode && (
+                <Link href="/settings">
+                  <FormattedMessage id="label.settings" defaultMessage="Settings" />
+                </Link>
+              )}
+            </div>
+          </>
        )}
        <div className={styles.buttons}>
          <ThemeButton />
--- a/lib/auth.js
+++ b/lib/auth.js
@ -35,7 +35,7 @@ export function isValidToken(token, validation) {
  return false;
 }

-export async function allowQuery(req, type) {
+export async function allowQuery(req, type, allowShareToken = true) {
  const { id } = req.query;

  const { userId, isAdmin, shareToken } = req.auth ?? {};
@ -44,7 +44,7 @@ export async function allowQuery(req, type) {
    return true;
  }

-  if (shareToken) {
+  if (allowShareToken && shareToken) {
    return isValidToken(shareToken, { id });
  }

--- a/lib/prisma.js
+++ b/lib/prisma.js
@ -36,6 +36,18 @@ function logQuery(e) {
  log(chalk.yellow(e.params), '->', e.query, chalk.greenBright(`${e.duration}ms`));
 }

+function toUuid() {
+  const db = getDatabaseType(process.env.DATABASE_URL);
+
+  if (db === POSTGRESQL) {
+    return '::uuid';
+  }
+
+  if (db === MYSQL) {
+    return '';
+  }
+}
+
 function getClient(options) {
  const prisma = new PrismaClient(options);

@ -85,11 +97,23 @@ function getTimestampInterval(field) {
  }
 }

-function getJsonField(column, property, isNumber) {
+function getSanitizedColumns(columns) {
+  return Object.keys(columns).reduce((acc, keyName) => {
+    const sanitizedProperty = keyName.replace(/[\w\s_]/g, '');
+
+    acc[sanitizedProperty] = columns[keyName];
+
+    return acc;
+  }, {});
+}
+
+function getJsonField(column, property, isNumber, params) {
  const db = getDatabaseType(process.env.DATABASE_URL);

  if (db === POSTGRESQL) {
-    let accessor = `${column} ->> '${property}'`;
+    params.push(property);
+
+    let accessor = `${column} ->> $${params.length}`;

    if (isNumber) {
      accessor = `CAST(${accessor} AS DECIMAL)`;
@ -99,21 +123,29 @@ function getJsonField(column, property, isNumber) {
  }

  if (db === MYSQL) {
-    return `${column} ->> "$.${property}"`;
+    return `${column} ->> '$.${property}'`;
  }
 }

-function getEventDataColumnsQuery(column, columns) {
-  const query = Object.keys(columns).reduce((arr, key) => {
+function getEventDataColumnsQuery(column, columns, params) {
+  const query = Object.keys(columns).reduce((arr, key, i) => {
    const filter = columns[key];

    if (filter === undefined) {
      return arr;
    }

-    const isNumber = ['sum', 'avg', 'min', 'max'].some(a => a === filter);
-
-    arr.push(`${filter}(${getJsonField(column, key, isNumber)}) as "${filter}(${key})"`);
+    switch (filter) {
+      case 'sum':
+      case 'avg':
+      case 'min':
+      case 'max':
+        arr.push(`${filter}(${getJsonField(column, key, true, params)}) as "${i}"`);
+        break;
+      case 'count':
+        arr.push(`${filter}(${getJsonField(column, key, false, params)}) as "${i}"`);
+        break;
+    }

    return arr;
  }, []);
@ -121,7 +153,7 @@ function getEventDataColumnsQuery(column, columns) {
  return query.join(',\n');
 }

-function getEventDataFilterQuery(column, filters) {
+function getEventDataFilterQuery(column, filters, params) {
  const query = Object.keys(filters).reduce((arr, key) => {
    const filter = filters[key];

@ -131,11 +163,9 @@ function getEventDataFilterQuery(column, filters) {

    const isNumber = filter && typeof filter === 'number';

-    arr.push(
-      `${getJsonField(column, key, isNumber)} = ${
-        typeof filter === 'string' ? `'${filter}'` : filter
-      }`,
-    );
+    arr.push(`${getJsonField(column, key, isNumber, params)} = $${params.length + 1}`);
+
+    params.push(filter);

    return arr;
  }, []);
@ -248,11 +278,13 @@ const prisma = global[PRISMA] || getClient(PRISMA_OPTIONS);
 export default {
  client: prisma,
  log,
+  toUuid,
  getDateQuery,
  getTimestampInterval,
  getFilterQuery,
  getEventDataColumnsQuery,
  getEventDataFilterQuery,
+  getSanitizedColumns,
  parseFilters,
  rawQuery,
  transaction,
--- a/pages/api/accounts/[id]/password.js
+++ b/pages/api/accounts/[id]/password.js
@ -17,7 +17,7 @@ export default async (req, res) => {
  const { current_password, new_password } = req.body;
  const { id: accountUuid } = req.query;

-  if (!(await allowQuery(req, TYPE_ACCOUNT))) {
+  if (!(await allowQuery(req, TYPE_ACCOUNT, false))) {
    return unauthorized(res);
  }

--- a/pages/api/realtime/init.js
+++ b/pages/api/realtime/init.js
@ -1,5 +1,5 @@
 import { subMinutes } from 'date-fns';
-import { ok, methodNotAllowed, createToken } from 'next-basics';
+import { ok, unauthorized, methodNotAllowed, createToken } from 'next-basics';
 import { useAuth } from 'lib/middleware';
 import { getUserWebsites, getRealtimeData } from 'queries';
 import { secret } from 'lib/crypto';
@ -10,6 +10,10 @@ export default async (req, res) => {
  if (req.method === 'GET') {
    const { userId } = req.auth;

+    if (!userId) {
+      return unauthorized(res);
+    }
+
    const websites = await getUserWebsites({ userId });
    const ids = websites.map(({ websiteUuid }) => websiteUuid);
    const token = createToken({ websites: ids }, secret());
--- a/pages/api/websites/[id]/index.js
+++ b/pages/api/websites/[id]/index.js
@ -10,17 +10,21 @@ export default async (req, res) => {

  const { id: websiteUuid } = req.query;

-  if (!(await allowQuery(req, TYPE_WEBSITE))) {
-    return unauthorized(res);
-  }
-
  if (req.method === 'GET') {
+    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+      return unauthorized(res);
+    }
+
    const website = await getWebsite({ websiteUuid });

    return ok(res, website);
  }

  if (req.method === 'POST') {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
+      return unauthorized(res);
+    }
+
    const { name, domain, owner, enableShareUrl, shareId } = req.body;
    const { accountUuid } = req.auth;

@ -58,7 +62,7 @@ export default async (req, res) => {
  }

  if (req.method === 'DELETE') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
      return unauthorized(res);
    }

--- a/pages/api/websites/[id]/reset.js
+++ b/pages/api/websites/[id]/reset.js
@ -11,7 +11,7 @@ export default async (req, res) => {
  const { id: websiteId } = req.query;

  if (req.method === 'POST') {
-    if (!(await allowQuery(req, TYPE_WEBSITE))) {
+    if (!(await allowQuery(req, TYPE_WEBSITE, false))) {
      return unauthorized(res);
    }

--- a/pages/api/websites/index.js
+++ b/pages/api/websites/index.js
@ -7,6 +7,7 @@ export default async (req, res) => {
  await useAuth(req, res);

  const { user_id, include_all } = req.query;
+
  const { userId: currentUserId, isAdmin } = req.auth;
  const accountUuid = user_id || req.auth.accountUuid;
  let account;
@ -18,7 +19,7 @@ export default async (req, res) => {
  const userId = account ? account.id : user_id;

  if (req.method === 'GET') {
-    if (userId && userId !== currentUserId && !isAdmin) {
+    if (!userId || (userId !== currentUserId && !isAdmin)) {
      return unauthorized(res);
    }

--- a/queries/analytics/event/getEventData.js
+++ b/queries/analytics/event/getEventData.js
@ -10,29 +10,44 @@ export async function getEventData(...args) {
 }

 async function relationalQuery(websiteId, { startDate, endDate, event_name, columns, filters }) {
-  const { rawQuery, getEventDataColumnsQuery, getEventDataFilterQuery } = prisma;
-  const params = [startDate, endDate];
+  const {
+    rawQuery,
+    getEventDataColumnsQuery,
+    getEventDataFilterQuery,
+    toUuid,
+    getSanitizedColumns,
+  } = prisma;
+  const sanitizedColumns = getSanitizedColumns(columns);
+  const params = [websiteId, startDate, endDate];
+
+  if (event_name) {
+    params.push(event_name);
+  }
+
+  const columnQuery = getEventDataColumnsQuery('event_data.event_data', sanitizedColumns, params);
+  const filterQuery =
+    Object.keys(filters).length > 0
+      ? `and ${getEventDataFilterQuery('event_data.event_data', filters, params)}`
+      : '';

  return rawQuery(
    `select
-      ${getEventDataColumnsQuery('event_data.event_data', columns)}
+      ${columnQuery}
    from event
      join website 
        on event.website_id = website.website_id
      join event_data
        on event.event_id = event_data.event_id
-    where website_uuid='${websiteId}'
-      and event.created_at between $1 and $2
-      ${event_name ? `and event_name = ${event_name}` : ''}
-      ${
-        Object.keys(filters).length > 0
-          ? `and ${getEventDataFilterQuery('event_data.event_data', filters)}`
-          : ''
-      }`,
+    where website_uuid = $1${toUuid()}
+      and event.created_at between $2 and $3
+      ${event_name ? `and event_name = $4` : ''}
+      ${filterQuery}`,
    params,
  ).then(results => {
-    return Object.keys(results[0]).map(a => {
-      return { x: a, y: results[0][`${a}`] };
+    const fields = Object.keys(sanitizedColumns);
+
+    return Object.keys(results[0]).map((a, i) => {
+      return { x: `${sanitizedColumns[fields[i]]}(${fields[i]})`, y: results[0][i] };
    });
  });
 }
--- a/queries/analytics/event/getEventMetrics.js
+++ b/queries/analytics/event/getEventMetrics.js
@ -17,8 +17,8 @@ async function relationalQuery(
  unit = 'day',
  filters = {},
 ) {
-  const { rawQuery, getDateQuery, getFilterQuery } = prisma;
-  const params = [start_at, end_at];
+  const { rawQuery, getDateQuery, getFilterQuery, toUuid } = prisma;
+  const params = [websiteId, start_at, end_at];

  return rawQuery(
    `select
@ -28,8 +28,8 @@ async function relationalQuery(
    from event
      join website 
        on event.website_id = website.website_id
-    where website_uuid='${websiteId}'
-      and event.created_at between $1 and $2
+    where website_uuid = $1${toUuid()}
+      and event.created_at between $2 and $3
    ${getFilterQuery('event', filters, params)}
    group by 1, 2
    order by 2`,
--- a/queries/analytics/pageview/getPageviewMetrics.js
+++ b/queries/analytics/pageview/getPageviewMetrics.js
@ -10,8 +10,8 @@ export async function getPageviewMetrics(...args) {
 }

 async function relationalQuery(websiteId, { startDate, endDate, column, table, filters = {} }) {
-  const { rawQuery, parseFilters } = prisma;
-  const params = [startDate, endDate];
+  const { rawQuery, parseFilters, toUuid } = prisma;
+  const params = [websiteId, startDate, endDate];
  const { pageviewQuery, sessionQuery, eventQuery, joinSession } = parseFilters(
    table,
    column,
@ -24,8 +24,8 @@ async function relationalQuery(websiteId, { startDate, endDate, column, table, f
    from ${table}
      ${` join website on ${table}.website_id = website.website_id`}
      ${joinSession}
-    where website.website_uuid='${websiteId}'
-      and ${table}.created_at between $1 and $2
+    where website.website_uuid = $1${toUuid()}
+      and ${table}.created_at between $2 and $3
      ${pageviewQuery}
      ${joinSession && sessionQuery}
      ${eventQuery}
--- a/queries/analytics/pageview/getPageviewParams.js
+++ b/queries/analytics/pageview/getPageviewParams.js
@ -9,8 +9,8 @@ export async function getPageviewParams(...args) {
 }

 async function relationalQuery(websiteId, start_at, end_at, column, table, filters = {}) {
-  const { parseFilters, rawQuery } = prisma;
-  const params = [start_at, end_at];
+  const { parseFilters, rawQuery, toUuid } = prisma;
+  const params = [websiteId, start_at, end_at];
  const { pageviewQuery, sessionQuery, eventQuery, joinSession } = parseFilters(
    table,
    column,
@ -24,8 +24,8 @@ async function relationalQuery(websiteId, start_at, end_at, column, table, filte
    from ${table}
      ${` join website on ${table}.website_id = website.website_id`}
      ${joinSession}
-    where website.website_uuid='${websiteId}'
-      and ${table}.created_at between $1 and $2
+    where website.website_uuid = $1${toUuid()}
+      and ${table}.created_at between $2 and $3
      and ${table}.url like '%?%'
      ${pageviewQuery}
      ${joinSession && sessionQuery}
--- a/queries/analytics/pageview/getPageviewStats.js
+++ b/queries/analytics/pageview/getPageviewStats.js
@ -21,8 +21,8 @@ async function relationalQuery(
    sessionKey = 'session_id',
  },
 ) {
-  const { getDateQuery, parseFilters, rawQuery } = prisma;
-  const params = [start_at, end_at];
+  const { getDateQuery, parseFilters, rawQuery, toUuid } = prisma;
+  const params = [websiteId, start_at, end_at];
  const { pageviewQuery, sessionQuery, joinSession } = parseFilters(
    'pageview',
    null,
@ -37,8 +37,8 @@ async function relationalQuery(
        join website
            on pageview.website_id = website.website_id
        ${joinSession}
-      where website.website_uuid='${websiteId}'
-        and pageview.created_at between $1 and $2
+      where website.website_uuid = $1${toUuid()}
+        and pageview.created_at between $2 and $3
        ${pageviewQuery}
        ${sessionQuery}
      group by 1`,
--- a/queries/analytics/session/getSessionMetrics.js
+++ b/queries/analytics/session/getSessionMetrics.js
@ -10,8 +10,8 @@ export async function getSessionMetrics(...args) {
 }

 async function relationalQuery(websiteId, { startDate, endDate, field, filters = {} }) {
-  const { parseFilters, rawQuery } = prisma;
-  const params = [startDate, endDate];
+  const { parseFilters, rawQuery, toUuid } = prisma;
+  const params = [websiteId, startDate, endDate];
  const { pageviewQuery, sessionQuery, joinSession } = parseFilters(null, filters, params);

  return rawQuery(
@ -23,8 +23,8 @@ async function relationalQuery(websiteId, { startDate, endDate, field, filters =
        join website 
          on pageview.website_id = website.website_id
        ${joinSession}
-      where website.website_uuid='${websiteId}'
-      and pageview.created_at between $1 and $2
+      where website.website_uuid = $1${toUuid()}
+      and pageview.created_at between $2 and $3
      ${pageviewQuery}
      ${sessionQuery}
    )
--- a/queries/analytics/stats/getActiveVisitors.js
+++ b/queries/analytics/stats/getActiveVisitors.js
@ -11,16 +11,17 @@ export async function getActiveVisitors(...args) {
 }

 async function relationalQuery(websiteId) {
+  const { rawQuery, toUuid } = prisma;
  const date = subMinutes(new Date(), 5);
-  const params = [date];
+  const params = [websiteId, date];

-  return prisma.rawQuery(
+  return rawQuery(
    `select count(distinct session_id) x
    from pageview
      join website 
        on pageview.website_id = website.website_id
-    where website.website_uuid = '${websiteId}'
-    and pageview.created_at >= $1`,
+    where website.website_uuid = $1${toUuid()}
+    and pageview.created_at >= $2`,
    params,
  );
 }
--- a/queries/analytics/stats/getWebsiteStats.js
+++ b/queries/analytics/stats/getWebsiteStats.js
@ -10,8 +10,8 @@ export async function getWebsiteStats(...args) {
 }

 async function relationalQuery(websiteId, { start_at, end_at, filters = {} }) {
-  const { getDateQuery, getTimestampInterval, parseFilters, rawQuery } = prisma;
-  const params = [start_at, end_at];
+  const { getDateQuery, getTimestampInterval, parseFilters, rawQuery, toUuid } = prisma;
+  const params = [websiteId, start_at, end_at];
  const { pageviewQuery, sessionQuery, joinSession } = parseFilters(
    'pageview',
    null,
@ -33,8 +33,8 @@ async function relationalQuery(websiteId, { start_at, end_at, filters = {} }) {
          join website 
            on pageview.website_id = website.website_id
          ${joinSession}
-        where website.website_uuid='${websiteId}'
-          and pageview.created_at between $1 and $2
+        where website.website_uuid = $1${toUuid()}
+          and pageview.created_at between $2 and $3
          ${pageviewQuery}
          ${sessionQuery}
        group by 1, 2