Skip to content

Commit 97313e1

Browse files
daffldaffl
authored
fix(transport-commons): Ensure socket queries are always plain objects (#2597)
1 parent d719f54 commit 97313e1

3 files changed

Lines changed: 86 additions & 87 deletions

File tree

package-lock.json

Lines changed: 62 additions & 83 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/transport-commons/src/socket/utils.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ export async function runMethod (app: Application, connection: RealTimeConnectio
9191
}
9292

9393
const position = paramsPositions[method] !== undefined ? paramsPositions[method] : DEFAULT_PARAMS_POSITION;
94-
const query = methodArgs[position] || {};
94+
const query = Object.assign({}, methodArgs[position]);
9595
// `params` have to be re-mapped to the query and added with the route
9696
const params = Object.assign({ query, route, connection }, connection);
9797

packages/transport-commons/test/socket/utils.test.ts

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ import assert from 'assert';
22
import { EventEmitter } from 'events';
33
import { feathers, Application, Params } from '@feathersjs/feathers';
44
import { NotAuthenticated } from '@feathersjs/errors';
5+
import { isPlainObject } from 'lodash';
56

67
import { routing } from '../../src/routing';
78
import {
@@ -189,11 +190,15 @@ describe('socket commons utils', () => {
189190
beforeEach(() => {
190191
app = feathers().configure(routing());
191192
app.use('/myservice', {
192-
get (id: number|string, params: Params) {
193+
async get (id: number|string, params: Params) {
193194
if (params.query.error) {
194-
return Promise.reject(new NotAuthenticated('None shall pass'));
195+
throw new NotAuthenticated('None shall pass');
195196
}
196-
return Promise.resolve({ id });
197+
if (!isPlainObject(params.query)) {
198+
throw new Error('Query is not a plain object');
199+
}
200+
201+
return { id };
197202
}
198203
});
199204
});
@@ -212,6 +217,21 @@ describe('socket commons utils', () => {
212217
runMethod(app, {}, 'myservice', 'get', [ 10, {}, callback ]);
213218
});
214219

220+
it('queries are always plain objects', done => {
221+
const callback = (error: any, result: any) => {
222+
if (error) {
223+
return done(error);
224+
}
225+
226+
assert.deepStrictEqual(result, { id: 10 });
227+
done();
228+
};
229+
230+
runMethod(app, {}, 'myservice', 'get', [ 10, {
231+
__proto__: []
232+
}, callback ]);
233+
});
234+
215235
it('merges params with connection and passes connection', done => {
216236
const connection = {
217237
testing: true

0 commit comments

Comments
 (0)