From 92ec3d07a3dca6c4163d77a095e87cdced0114c5 Mon Sep 17 00:00:00 2001 From: Ali BARIN Date: Fri, 21 Jun 2024 09:45:29 +0000 Subject: [PATCH] feat(salesforce/find-partially-matching-record): sanitize user inputs --- .../find-partially-matching-record/index.js | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/packages/backend/src/apps/salesforce/actions/find-partially-matching-record/index.js b/packages/backend/src/apps/salesforce/actions/find-partially-matching-record/index.js index 6a582dcb..328c57c0 100644 --- a/packages/backend/src/apps/salesforce/actions/find-partially-matching-record/index.js +++ b/packages/backend/src/apps/salesforce/actions/find-partially-matching-record/index.js @@ -1,4 +1,6 @@ import defineAction from '../../../../helpers/define-action.js'; +import listObjects from '../../dynamic-data/list-objects/index.js'; +import listFields from '../../dynamic-data/list-fields/index.js'; export default defineAction({ name: 'Find partially matching record', @@ -57,13 +59,31 @@ export default defineAction({ ], async run($) { + const sanitizedSearchValue = $.step.parameters.searchValue.replaceAll(`'`, `\\'`); + + // validate given object + const objects = await listObjects.run($); + const validObject = objects.data.find((object) => object.value === $.step.parameters.object); + + if (!validObject) { + throw new Error(`The "${$.step.parameters.object}" object does not exist.`); + } + + // validate given object field + const fields = await listFields.run($); + const validField = fields.data.find((field) => field.value === $.step.parameters.field); + + if (!validField) { + throw new Error(`The "${$.step.parameters.field}" field does not exist on the "${$.step.parameters.object}" object.`); + } + const query = ` SELECT FIELDS(ALL) FROM ${$.step.parameters.object} WHERE - ${$.step.parameters.field} LIKE '%${$.step.parameters.searchValue}%' + ${$.step.parameters.field} LIKE '%${sanitizedSearchValue}%' LIMIT 1 `;