From 6b8619f542db83477e8fb0ef05d63d39c026916c Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Thu, 10 Oct 2019 13:46:50 -0700 Subject: [PATCH] Added checks to catch MongoDB . in key exception. --- db.js | 90 ++++++++++++++++++++++++++++++++++++++++++++-------- package.json | 2 +- 2 files changed, 77 insertions(+), 15 deletions(-) diff --git a/db.js b/db.js index ff530c3d..c15627b4 100644 --- a/db.js +++ b/db.js @@ -607,10 +607,20 @@ module.exports.CreateDB = function (parent, func) { setupFunctions(func); // Completed setup of NeDB } + // Check the object names for a "." + function checkObjectNames(r) { + if (typeof r != 'object') return; + for (var i in r) { + if (i.indexOf('.') >= 0) { throw('BadDbName: ' + JSON.stringify(r)); } + checkObjectNames(r[i]); + } + } + function setupFunctions(func) { if (obj.databaseType == 3) { // Database actions on the main collection (MongoDB) obj.Set = function (data, func) { + checkObjectNames(data); // DEBUG CHECKING obj.file.replaceOne({ _id: data._id }, performTypedRecordEncrypt(data), { upsert: true }, func); }; obj.Get = function (id, func) { @@ -640,11 +650,25 @@ module.exports.CreateDB = function (parent, func) { obj.Remove = function (id) { obj.file.deleteOne({ _id: id }); }; obj.RemoveAll = function (func) { obj.file.deleteMany({}, { multi: true }, func); }; obj.RemoveAllOfType = function (type, func) { obj.file.deleteMany({ type: type }, { multi: true }, func); }; - obj.InsertMany = function (data, func) { obj.file.insertMany(data, func); }; + obj.InsertMany = function (data, func) { + checkObjectNames(data); // DEBUG CHECKING + obj.file.insertMany(data, func); + }; obj.RemoveMeshDocuments = function (id) { obj.file.deleteMany({ meshid: id }, { multi: true }); obj.file.deleteOne({ _id: 'nt' + id }); }; - obj.MakeSiteAdmin = function (username, domain) { obj.Get('user/' + domain + '/' + username, function (err, docs) { if (docs.length == 1) { docs[0].siteadmin = 0xFFFFFFFF; obj.Set(docs[0]); } }); }; + obj.MakeSiteAdmin = function (username, domain) { + obj.Get('user/' + domain + '/' + username, function (err, docs) { + if (docs.length == 1) { + checkObjectNames(docs[0]); // DEBUG CHECKING + docs[0].siteadmin = 0xFFFFFFFF; obj.Set(docs[0]); + } + }); + }; obj.DeleteDomain = function (domain, func) { obj.file.deleteMany({ domain: domain }, { multi: true }, func); }; - obj.SetUser = function (user) { var u = Clone(user); if (u.subscriptions) { delete u.subscriptions; } obj.Set(u); }; + obj.SetUser = function (user) { + checkObjectNames(user); // DEBUG CHECKING + var u = Clone(user); + if (u.subscriptions) { delete u.subscriptions; } obj.Set(u); + }; obj.dispose = function () { for (var x in obj) { if (obj[x].close) { obj[x].close(); } delete obj[x]; } }; obj.getLocalAmtNodes = function (func) { obj.file.find({ type: 'node', host: { $exists: true, $ne: null }, intelamt: { $exists: true } }).toArray(func); }; obj.getAmtUuidNode = function (meshid, uuid, func) { obj.file.find({ type: 'node', meshid: meshid, 'intelamt.uuid': uuid }).toArray(func); }; @@ -656,7 +680,10 @@ module.exports.CreateDB = function (parent, func) { // Database actions on the events collection obj.GetAllEvents = function (func) { obj.eventsfile.find({}).toArray(func); }; - obj.StoreEvent = function (event) { obj.eventsfile.insertOne(event); }; + obj.StoreEvent = function (event) { + checkObjectNames(event); // DEBUG CHECKING + obj.eventsfile.insertOne(event); + }; obj.GetEvents = function (ids, domain, func) { obj.eventsfile.find({ domain: domain, ids: { $in: ids } }).project({ type: 0, _id: 0, domain: 0, ids: 0, node: 0 }).sort({ time: -1 }).toArray(func); }; obj.GetEventsWithLimit = function (ids, domain, limit, func) { obj.eventsfile.find({ domain: domain, ids: { $in: ids } }).project({ type: 0, _id: 0, domain: 0, ids: 0, node: 0 }).sort({ time: -1 }).limit(limit).toArray(func); }; obj.GetUserEvents = function (ids, domain, username, func) { obj.eventsfile.find({ domain: domain, $or: [{ ids: { $in: ids } }, { username: username }] }).project({ type: 0, _id: 0, domain: 0, ids: 0, node: 0 }).sort({ time: -1 }).toArray(func); }; @@ -668,18 +695,27 @@ module.exports.CreateDB = function (parent, func) { // Database actions on the power collection obj.getAllPower = function (func) { obj.powerfile.find({}).toArray(func); }; - obj.storePowerEvent = function (event, multiServer, func) { if (multiServer != null) { event.server = multiServer.serverid; } obj.powerfile.insertOne(event, func); }; + obj.storePowerEvent = function (event, multiServer, func) { + checkObjectNames(event); // DEBUG CHECKING + if (multiServer != null) { event.server = multiServer.serverid; } obj.powerfile.insertOne(event, func); + }; obj.getPowerTimeline = function (nodeid, func) { obj.powerfile.find({ nodeid: { $in: ['*', nodeid] } }).project({ _id: 0, nodeid: 0, s: 0 }).sort({ time: 1 }).toArray(func); }; obj.removeAllPowerEvents = function () { obj.powerfile.deleteMany({}, { multi: true }); }; obj.removeAllPowerEventsForNode = function (nodeid) { obj.powerfile.deleteMany({ nodeid: nodeid }, { multi: true }); }; // Database actions on the SMBIOS collection - obj.SetSMBIOS = function (smbios, func) { obj.smbiosfile.updateOne({ _id: smbios._id }, { $set: smbios }, { upsert: true }, func); }; + obj.SetSMBIOS = function (smbios, func) { + checkObjectNames(smbios); // DEBUG CHECKING + obj.smbiosfile.updateOne({ _id: smbios._id }, { $set: smbios }, { upsert: true }, func); + }; obj.RemoveSMBIOS = function (id) { obj.smbiosfile.deleteOne({ _id: id }); }; obj.GetSMBIOS = function (id, func) { obj.smbiosfile.find({ _id: id }).toArray(func); }; // Database actions on the Server Stats collection - obj.SetServerStats = function (data, func) { obj.serverstatsfile.insertOne(data, func); }; + obj.SetServerStats = function (data, func) { + checkObjectNames(data); // DEBUG CHECKING + obj.serverstatsfile.insertOne(data, func); + }; obj.GetServerStats = function (hours, func) { var t = new Date(); t.setTime(t.getTime() - (60 * 60 * 1000 * hours)); obj.serverstatsfile.find({ time: { $gt: t } }, { _id: 0, cpu: 0 }).toArray(func); }; // Read a configuration file from the database @@ -706,7 +742,11 @@ module.exports.CreateDB = function (parent, func) { } } else { // Database actions on the main collection (NeDB and MongoJS) - obj.Set = function (data, func) { var xdata = performTypedRecordEncrypt(data); obj.file.update({ _id: xdata._id }, xdata, { upsert: true }, func); }; + obj.Set = function (data, func) { + checkObjectNames(data); // DEBUG CHECKING + var xdata = performTypedRecordEncrypt(data); + obj.file.update({ _id: xdata._id }, xdata, { upsert: true }, func); + }; obj.Get = function (id, func) { if (arguments.length > 2) { var parms = [func]; @@ -734,11 +774,24 @@ module.exports.CreateDB = function (parent, func) { obj.Remove = function (id) { obj.file.remove({ _id: id }); }; obj.RemoveAll = function (func) { obj.file.remove({}, { multi: true }, func); }; obj.RemoveAllOfType = function (type, func) { obj.file.remove({ type: type }, { multi: true }, func); }; - obj.InsertMany = function (data, func) { obj.file.insert(data, func); }; + obj.InsertMany = function (data, func) { + checkObjectNames(data); // DEBUG CHECKING + obj.file.insert(data, func); + }; obj.RemoveMeshDocuments = function (id) { obj.file.remove({ meshid: id }, { multi: true }); obj.file.remove({ _id: 'nt' + id }); }; - obj.MakeSiteAdmin = function (username, domain) { obj.Get('user/' + domain + '/' + username, function (err, docs) { if (docs.length == 1) { docs[0].siteadmin = 0xFFFFFFFF; obj.Set(docs[0]); } }); }; + obj.MakeSiteAdmin = function (username, domain) { + obj.Get('user/' + domain + '/' + username, function (err, docs) { + if (docs.length == 1) { + checkObjectNames(docs[0]); // DEBUG CHECKING + docs[0].siteadmin = 0xFFFFFFFF; obj.Set(docs[0]); + } + }); + }; obj.DeleteDomain = function (domain, func) { obj.file.remove({ domain: domain }, { multi: true }, func); }; - obj.SetUser = function (user) { var u = Clone(user); if (u.subscriptions) { delete u.subscriptions; } obj.Set(u); }; + obj.SetUser = function (user) { + checkObjectNames(user); // DEBUG CHECKING + var u = Clone(user); if (u.subscriptions) { delete u.subscriptions; } obj.Set(u); + }; obj.dispose = function () { for (var x in obj) { if (obj[x].close) { obj[x].close(); } delete obj[x]; } }; obj.getLocalAmtNodes = function (func) { obj.file.find({ type: 'node', host: { $exists: true, $ne: null }, intelamt: { $exists: true } }, func); }; obj.getAmtUuidNode = function (meshid, uuid, func) { obj.file.find({ type: 'node', meshid: meshid, 'intelamt.uuid': uuid }, func); }; @@ -746,7 +799,10 @@ module.exports.CreateDB = function (parent, func) { // Database actions on the events collection obj.GetAllEvents = function (func) { obj.eventsfile.find({}, func); }; - obj.StoreEvent = function (event) { obj.eventsfile.insert(event); }; + obj.StoreEvent = function (event) { + checkObjectNames(event); // DEBUG CHECKING + obj.eventsfile.insert(event); + }; obj.GetEvents = function (ids, domain, func) { if (obj.databaseType == 1) { obj.eventsfile.find({ domain: domain, ids: { $in: ids } }, { _id: 0, domain: 0, ids: 0, node: 0 }).sort({ time: -1 }).exec(func); } else { obj.eventsfile.find({ domain: domain, ids: { $in: ids } }, { type: 0, _id: 0, domain: 0, ids: 0, node: 0 }).sort({ time: -1 }, func); } }; obj.GetEventsWithLimit = function (ids, domain, limit, func) { if (obj.databaseType == 1) { obj.eventsfile.find({ domain: domain, ids: { $in: ids } }, { _id: 0, domain: 0, ids: 0, node: 0 }).sort({ time: -1 }).limit(limit).exec(func); } else { obj.eventsfile.find({ domain: domain, ids: { $in: ids } }, { type: 0, _id: 0, domain: 0, ids: 0, node: 0 }).sort({ time: -1 }).limit(limit, func); } }; obj.GetUserEvents = function (ids, domain, username, func) { @@ -770,7 +826,10 @@ module.exports.CreateDB = function (parent, func) { // Database actions on the power collection obj.getAllPower = function (func) { obj.powerfile.find({}, func); }; - obj.storePowerEvent = function (event, multiServer, func) { if (multiServer != null) { event.server = multiServer.serverid; } obj.powerfile.insert(event, func); }; + obj.storePowerEvent = function (event, multiServer, func) { + checkObjectNames(event); // DEBUG CHECKING + if (multiServer != null) { event.server = multiServer.serverid; } obj.powerfile.insert(event, func); + }; obj.getPowerTimeline = function (nodeid, func) { if (obj.databaseType == 1) { obj.powerfile.find({ nodeid: { $in: ['*', nodeid] } }, { _id: 0, nodeid: 0, s: 0 }).sort({ time: 1 }).exec(func); } else { obj.powerfile.find({ nodeid: { $in: ['*', nodeid] } }, { _id: 0, nodeid: 0, s: 0 }).sort({ time: 1 }, func); } }; obj.removeAllPowerEvents = function () { obj.powerfile.remove({}, { multi: true }); }; obj.removeAllPowerEventsForNode = function (nodeid) { obj.powerfile.remove({ nodeid: nodeid }, { multi: true }); }; @@ -781,7 +840,10 @@ module.exports.CreateDB = function (parent, func) { obj.GetSMBIOS = function (id, func) { obj.smbiosfile.find({ _id: id }, func); }; // Database actions on the Server Stats collection - obj.SetServerStats = function (data, func) { obj.serverstatsfile.insert(data, func); }; + obj.SetServerStats = function (data, func) { + checkObjectNames(data); // DEBUG CHECKING + obj.serverstatsfile.insert(data, func); + }; obj.GetServerStats = function (hours, func) { var t = new Date(); t.setTime(t.getTime() - (60 * 60 * 1000 * hours)); obj.serverstatsfile.find({ time: { $gt: t } }, { _id: 0, cpu: 0 }, func); }; // Read a configuration file from the database diff --git a/package.json b/package.json index f10ad438..1731a211 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "meshcentral", - "version": "0.4.2-a", + "version": "0.4.2-b", "keywords": [ "Remote Management", "Intel AMT",