chore!: add conditional support to query and fields query params (#33544)

* chore: add conditional support to query and fields query params * chore: add conditional support to query and fields query params * chore: remove dummyRoute * chore: add comment on hasSupportedRoutes * chore: change logger to point to version 8

chore!: add conditional support to query and fields query params (#33544)
8865653f · Ricardo Garim · Guilherme Gazzo · fa501ecb · 8865653f · 8865653f
Commit 8865653f authored 6 months ago by Ricardo Garim Committed by Guilherme Gazzo 6 months ago
--- a/apps/meteor/app/api/server/definition.ts
+++ b/apps/meteor/app/api/server/definition.ts
@@ -149,7 +149,13 @@ export type ActionThis<TMethod extends Method, TPathPattern extends PathPattern,
 	readonly queryOperations: TOptions extends { queryOperations: infer T } ? T : never;
 	parseJsonQuery(): Promise<{
 		sort: Record<string, 1 | -1>;
+		/**
+		 * @deprecated To access "fields" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+		 */
 		fields: Record<string, 0 | 1>;
+		/**
+		 * @deprecated To access "query" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+		 */
 		query: Record<string, unknown>;
 	}>;
 } & (TOptions extends { authRequired: true }

--- a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts
+++ b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts
@@ -15,7 +15,13 @@ const pathAllowConf = {

 export async function parseJsonQuery(api: PartialThis): Promise<{
 	sort: Record<string, 1 | -1>;
+	/**
+	 * @deprecated To access "fields" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+	 */
 	fields: Record<string, 0 | 1>;
+	/**
+	 * @deprecated To access "query" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable.
+	 */
 	query: Record<string, unknown>;
 }> {
 	const {
@@ -47,10 +53,16 @@ export async function parseJsonQuery(api: PartialThis): Promise<{
 		}
 	}

+	// TODO: Remove this once we have all routes migrated to the new API params
+	const hasSupportedRoutes = ([] as string[]).includes(route);
+	const isUnsafeQueryParamsAllowed = process.env.ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS?.toUpperCase() === 'TRUE';
+	const messageGenerator = ({ endpoint, version, parameter }: { endpoint: string; version: string; parameter: string }): string =>
+		`The usage of the "${parameter}" parameter in endpoint "${endpoint}" breaks the security of the API and can lead to data exposure. It has been deprecated and will be removed in the version ${version}.`;
+
 	let fields: Record<string, 0 | 1> | undefined;
-	if (params.fields) {
-		apiDeprecationLogger.parameter(route, 'fields', '7.0.0', response);
+	if (params.fields && (isUnsafeQueryParamsAllowed || !hasSupportedRoutes)) {
 		try {
+			apiDeprecationLogger.parameter(route, 'fields', '8.0.0', response, messageGenerator);
 			fields = JSON.parse(params.fields) as Record<string, 0 | 1>;

 			Object.entries(fields).forEach(([key, value]) => {
@@ -99,9 +111,8 @@ export async function parseJsonQuery(api: PartialThis): Promise<{
 	}

 	let query: Record<string, any> = {};
-	if (params.query) {
-		apiDeprecationLogger.parameter(route, 'query', '7.0.0', response);
-
+	if (params.query && (isUnsafeQueryParamsAllowed || !hasSupportedRoutes)) {
+		apiDeprecationLogger.parameter(route, 'query', '8.0.0', response, messageGenerator);
 		try {
 			query = ejson.parse(params.query);
 			query = clean(query, pathAllowConf.def);