fix: add validation to reject insecureRawSQL and insecureRawNoSQL filters in API requests

NoOne7135 · NoOne7135 · commit 070d7e14e257 · 2026-06-19T11:32:37.000+03:00
diff --git a/adminforth/modules/restApi.ts b/adminforth/modules/restApi.ts
@@ -167,8 +167,6 @@ const filterConditionSchema: AnySchemaObject = {
     operator: { type: 'string', enum: SIMPLE_FILTER_OPERATORS },
     value: {},
     rightField: { type: 'string' },
-    insecureRawSQL: { type: 'string' },
-    insecureRawNoSQL: {},
   },
   additionalProperties: true,
   examples: [filterConditionExample],
@@ -242,6 +240,31 @@ const commonFiltersSchema: AnySchemaObject = {
   ],
 };
 
+function hasApiRawFilter(filters: any): boolean {
+  if (!filters || typeof filters !== 'object') {
+    return false;
+  }
+
+  if (Array.isArray(filters)) {
+    return filters.some(hasApiRawFilter);
+  }
+
+  if (
+    Object.prototype.hasOwnProperty.call(filters, 'insecureRawSQL') ||
+    Object.prototype.hasOwnProperty.call(filters, 'insecureRawNoSQL')
+  ) {
+    return true;
+  }
+
+  return Array.isArray(filters.subFilters) && filters.subFilters.some(hasApiRawFilter);
+}
+
+function rejectApiRawFilters(filters: any): { error: string } | undefined {
+  if (hasApiRawFilter(filters)) {
+    return { error: 'insecureRawSQL and insecureRawNoSQL filters are not allowed in API requests' };
+  }
+}
+
 function createErrorOrSuccessSchema(successSchema: AnySchemaObject): AnySchemaObject {
   return {
     anyOf: [
@@ -1290,6 +1313,10 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
         if (!resource) {
           return { error: `Resource ${resourceId} not found` };
         }
+        const rawFilterError = rejectApiRawFilters(body.filters);
+        if (rawFilterError) {
+          return rawFilterError;
+        }
 
         const meta = { requestBody: body, pk: undefined };
         if (source === 'edit' || source === 'show') {
@@ -1692,6 +1719,10 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
         if (!resource) {
           return { error: `Resource ${resourceId} not found` };
         }
+        const rawFilterError = rejectApiRawFilters(filters);
+        if (rawFilterError) {
+          return rawFilterError;
+        }
 
         const meta = { requestBody: body, pk: undefined };
         const { allowedActions } = await interpretResource(
@@ -1772,6 +1803,10 @@ export default class AdminForthRestAPI implements IAdminForthRestAPI {
         if (!columnConfig.foreignResource) {
           return { error: `Column '${column}' in resource '${resourceId}' is not a foreign key` };
         }
+        const rawFilterError = rejectApiRawFilters(body.filters);
+        if (rawFilterError) {
+          return rawFilterError;
+        }
 
         const targetResourceIds = columnConfig.foreignResource.resourceId ? [columnConfig.foreignResource.resourceId] : columnConfig.foreignResource.polymorphicResources.filter(pr => pr.resourceId !== null).map((pr) => pr.resourceId);
         const targetResources = targetResourceIds.map((trId) => this.adminforth.config.resources.find((res) => res.resourceId == trId));
