Commit a38b6d14 authored by Revant Nandgaonkar's avatar Revant Nandgaonkar

fix: Use whitelist in ValidationPipe

only allow properties from DTO

fixes validation pipes
parent 2a79fe45
......@@ -45,7 +45,7 @@ export class AuthController {
}
@Post('signup')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@ApiOperation({
title: i18n.__('Signup'),
description: i18n.__('Sign up a new user'),
......@@ -92,7 +92,7 @@ export class AuthController {
}
@Post('password_less')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async passwordLess(@Body() payload: PasswordLessDto, @Req() req) {
const user = await this.authService.passwordLessLogin(payload);
addSessionUser(req, {
......
......@@ -14,11 +14,9 @@ export class CreateSocialLoginDto {
clientSecret: string;
@IsUrl()
@IsOptional()
authorizationURL: string;
@IsUrl()
@IsOptional()
tokenURL: string;
@IsUrl()
......@@ -30,7 +28,6 @@ export class CreateSocialLoginDto {
baseURL: string;
@IsUrl()
@IsOptional()
profileURL: string;
@IsUrl()
......
......@@ -38,7 +38,7 @@ export class SocialLoginController {
@Post('v1/create')
@Roles(ADMINISTRATOR)
@UseGuards(AuthGuard('bearer', { session: false, callback }), RoleGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async create(@Body() body: CreateSocialLoginDto, @Req() req, @Res() res) {
const payload: any = body;
payload.createdBy = req.user.user;
......
......@@ -41,7 +41,7 @@ export class ClientController {
@Post('v1/create')
@UseGuards(AuthGuard('bearer', { session: false, callback }))
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async create(@Body() body: CreateClientDto, @Req() req, @Res() res) {
const payload: any = body;
if (!(await this.userService.checkAdministrator(req.user.user))) {
......
......@@ -74,7 +74,7 @@ export class ScopeController {
}
@Post('v1/create')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(AuthGuard('bearer', { session: false, callback }), RoleGuard)
async create(@Body() body: CreateScopeDto, @Res() res) {
......
......@@ -35,7 +35,7 @@ export class ServerSettingsController {
}
@Post('v1/update')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(AuthGuard('bearer', { session: false, callback }), RoleGuard)
async updateSettings(@Body() payload: ServerSettingDto, @Req() req) {
......@@ -46,7 +46,7 @@ export class ServerSettingsController {
}
@Post('v1/delete_bearer_tokens')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(AuthGuard('bearer', { session: false, callback }), RoleGuard)
async deleteTokens(@Req() req) {
......@@ -57,7 +57,7 @@ export class ServerSettingsController {
}
@Post('v1/delete_user_sessions')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(AuthGuard('bearer', { session: false, callback }), RoleGuard)
async deleteSessions(@Req() req) {
......
......@@ -14,7 +14,7 @@ export class SignupController {
constructor(private readonly signupService: SignupService) {}
@Post('v1/email')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async signupViaEmail(@Body() payload: SignupViaEmailDto, @Res() res) {
await this.signupService.validateSignupEnabled();
payload.email = payload.email.trim().toLocaleLowerCase();
......
......@@ -53,7 +53,7 @@ export class UserController {
@Post('v1/change_password')
@UseGuards(AuthGuard('bearer', { session: false, callback }))
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async updatePassword(@Req() req, @Body() passwordPayload: ChangePasswordDto) {
const userUuid = req.user.user;
return await this.commandBus.execute(
......@@ -100,7 +100,7 @@ export class UserController {
}
@Post('v1/create')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(AuthGuard('bearer', { session: false, callback }), RoleGuard)
async create(@Body() payload: UserAccountDto, @Req() req) {
......@@ -178,7 +178,7 @@ export class UserController {
}
@Post('v1/generate_password')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async verifyEmail(@Body() payload: VerifyEmailDto) {
return await this.commandBus.execute(
new VerifyEmailAndSetPasswordCommand(payload),
......
......@@ -61,7 +61,7 @@ export class CloudStorageController {
}
@Post('v1/add')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
async addStorage(@Body() payload: StorageValidationDto, @Req() req) {
......@@ -69,7 +69,7 @@ export class CloudStorageController {
}
@Put('v1/modify/:uuid')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
async modifyStorage(@Body() payload: ModifyStorageDto, @Param('uuid') uuid) {
......@@ -79,7 +79,7 @@ export class CloudStorageController {
}
@Delete('v1/remove/:uuid')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
async removeStorage(@Param() uuid, @Req() req) {
......
......@@ -30,14 +30,14 @@ export class EmailController {
@Post('v1/system')
@UseGuards(AuthServerVerificationGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async sendSystemEmail(@Body() payload: EmailMessageAuthServerDto) {
return await this.emailService.sendSystemMessage(payload);
}
@Post('v1/create')
@UseGuards(TokenGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async create(@Req() req, @Res() res, @Body() payload: CreateEmailDto) {
payload.owner = req.token.sub;
const emailAccount = await this.emailAccount.save(payload);
......
......@@ -32,7 +32,7 @@ export class Oauth2ProviderController {
@Post('v1/add_provider')
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async addProvider(@Body() payload: OAuth2ProviderDto) {
return await this.commandBus.execute(new AddOAuth2ProviderCommand(payload));
}
......@@ -50,7 +50,7 @@ export class Oauth2ProviderController {
@Post('v1/update_provider/:uuid')
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async updateProvider(
@Param('uuid') uuid,
@Body() payload: OAuth2ProviderDto,
......
......@@ -30,7 +30,7 @@ export class SettingsController {
@Post('v1/update')
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async updateSettings(@Body() payload: ServerSettingsDto) {
return from(this.settingsService.find()).pipe(
switchMap(settings => {
......
......@@ -13,7 +13,7 @@ export class SetupController {
constructor(private readonly setupService: SetupService) {}
@Post()
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async setup(@Body() setupForm: ServerSettingsDto) {
return await this.setupService.setup(setupForm);
}
......
......@@ -28,7 +28,7 @@ export class ProfileController {
@Post('v1/update_profile_details')
@UseGuards(TokenGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async updateProfileDetails(@Body() profile: ProfileDetailsDTO, @Req() req) {
let updatedProfile: Profile;
if (profile.uuid && profile.uuid === req.token.sub) {
......@@ -48,7 +48,7 @@ export class ProfileController {
@Post('v1/update_personal_details')
@UseGuards(TokenGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async updateProfile(
@Body() profile: PersonalDetailsDTO,
@Req() req,
......
......@@ -30,7 +30,7 @@ export class SettingsController {
@Post('v1/update')
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async updateSettings(@Body() payload: ServerSettingsDto) {
return from(this.settingsService.find()).pipe(
switchMap(settings => {
......
......@@ -13,7 +13,7 @@ export class SetupController {
constructor(private readonly settingsService: SetupService) {}
@Post()
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async setup(@Body() payload: ServerSettingsDto) {
return await this.settingsService.setup(payload);
}
......
......@@ -54,7 +54,7 @@ export class ServiceTypeController {
}
@Post('v1/create')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
async registerService(@Body() payload: ServiceTypeValidationDto) {
......
......@@ -57,7 +57,7 @@ export class ServiceController {
}
@Post('v1/register')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
async registerService(@Body() payload: CreateServiceDto, @Req() req) {
......@@ -68,7 +68,7 @@ export class ServiceController {
}
@Post('v1/modify/:clientId')
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
async modifyService(
......
......@@ -29,7 +29,7 @@ export class SettingsController {
@Post('v1/update')
@Roles(ADMINISTRATOR)
@UseGuards(TokenGuard, RoleGuard)
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
updateSettings(@Body() payload: ServerSettingsDto) {
return this.settingsService.find().pipe(
switchMap(settings => {
......
......@@ -13,7 +13,7 @@ export class SetupController {
constructor(private readonly settingsService: SetupService) {}
@Post()
@UsePipes(ValidationPipe)
@UsePipes(new ValidationPipe({ whitelist: true }))
async setup(@Body() icSettingsDTO: ServerSettingsDto) {
return await this.settingsService.setup(icSettingsDTO);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment