Headline
CVE-2022-33171: Comparing 0.2.45...0.3.0 · typeorm/typeorm
** DISPUTED ** The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor’s position is that the user’s application is responsible for input validation.
Commits on Mar 17, 2022
0.3.0 (#8616)
* added find options and new option relationLoadStrategy
* find now returns null instead of undefined; removed primary relations support; bugfixing; added some changes and tests from next branch;
* added typename to connection options; added data loader types, lot of deprecations; new es2020 emit by tsc; new custom repositories syntax
* applied lint fixing
* replaced some instanceof checks
* reverting docker compose image versions
* optimizing imports
* reverting back some instanceof checks to prevent compiler errors
* downgrading es compilation version
* docs: remove “primary” from relation options (#8619)
remove ex-line 26 for being deprecated in 0.3.0: “* `primary: boolean` - Indicates whether this relation’s column will be a primary column or not.”
* Revert “reverting back some instanceof checks to prevent compiler errors”
This reverts commit 7bf12a3.
* Revert “optimizing imports”
This reverts commit 7588ac1.
* Revert “replaced some instanceof checks”
This reverts commit bfa5a2d.
* fixing few comments
* removing transaction decorators
* this test is invalid - it’s not clear why the hell getTreeRepository will throw an error and it’s not clear what kind of error its going to throw
* addded mixed list support in connection options
* trying to fix oracle length issue
* lintfix
* removed shorten usages
* added named entity target support to the connection
* fixing entity target support in relation options via entity schema
* debugging oracle issue
* fixed issue with alias not being shortened in many to many alias cases
* some day we’ll have a prettier.
* fixing oracle tests
* fixing oracle failing test
* removed “null” support in where expressions; fixed softDelete and restore incorrect usages
* renamed FindConditions to FindOptionsWhere
* version bump
* docs: update loading relation in find method (v 0.3.0) (#8621)
* docs: update relation definition method
Update the method that allows loading a specific relation inside the find method. This method is found on the one-to-one-relations page. Change `const users = await userRepository.find({ relations: [“profile”] });` to `const users = await userRepository.find({ relations: {profile: true});`.
* fix formatting
Co-authored-by: Umed Khudoiberdiev [email protected]
* docs: change relations option definition (#8620)
* docs: change relations option definition
change line 139 from `const users = await connection.getRepository(User).find({ relations: ["profile", "photos", “videos”] });` to `const users = await connection.getRepository(User).find({ relations: { profile: true, photos: true, videos: true] });` to reflect version 0.3.0 changes
* docs: change relations option definition
Rectified a type on line 139 from: `const users = await connection.getRepository(User).find({ relations: { profile: true, photos: true, videos: true] });` to `const users = await connection.getRepository(User).find({ relations: { profile: true, photos: true, videos: true} });`
* formatting
Co-authored-by: Umed Khudoiberdiev [email protected]
* lint
* improved find options types
* fixed types and removed nonnever because it causes circual issue for some reason
* docs: update entitymanager definition (#8623)
* docs: update entitymanager definition
change the “What is EntityManager?” page to be up-to-date with v 0.3.0
line 6 changes from `You can access the entity manager via 'getManager()' or from 'Connection’.` to `You can access the entity manager via DataSource’s manager.`
the import on `getManager` in line 10 becomes `Manager` that the user have configured beforehand: `import {getManager} from "typeorm";` becomes `import {Manager} from "./config/DataSource";`
3.change entityManager definition in line 13: from `const entityManager = getManager(); // you can also get it via getConnection().manager` to `const entityManager = Manager;`
* docs: update entitymanager definition
changed line 10 from: `import {Manager} from "./config/DataSource";` to `import {DataSource} from "typeorm";`
and changed line 13 and 14 from: `const entityManager = Manager;` `const user = await entityManager.findOne(User, 1);` to `const myDataSource = new DataSource({ /*…*/ });` `const user = await myDataSource.manager.findOne(User, 1);`
for a simpler way of describing the origin of DataSource and how it works.
* In return type doesn’t seem to work in all cases
* feat: mssql v7 support (#8592)
Adds support for v7 of the mssql library as v6 is EOL. This also makes use of the new toReadableStream method on requests to return a native stream where required.
* fix: prefix relation id columns contained in embedded entities (#6977) (#7432)
* fix: prefix relation id columns contained in embedded entities (#6977)
Searches embedded entity columns for relation ID column if relation column is in embedded entity. If not found, creates new relation ID with embedded metadata set to match the relation column.
fixes: #2254 fixes: #3132 fixes: #3226 fixes: #6977
* test: prefix subcounters sub-entity with “sub” to fit in 30 character identifier for oracle
Problem introduced with #6981
* fix: find by Date object in sqlite driver (#7538)
* fix: find by Date object in sqlite driver
In sqlite, Date objects are persisted as UtcDatetimeString. But a Date object parameter was escaped with .toISOString(), making such queries impossible. This commit aligns both transforms. This bug does *not* apply to better-sql where you can only bind numbers, strings, bigints, buffers, and null. This is breaking for when the user inserted their dates manually as ISO and relied on this old maltransformation, after this their find()s by Date won’t work anymore.
BREAKING CHANGE: Change Date serialization in selects Closes: #2286
* add failing test
* fix: find by Date object in sqlite driver (with query builder)
Also consider query builder parameter escaping
* test: add test for 3426
Co-authored-by: James Ward [email protected]
* manually ported changes from #7796
* updated changelog
* fixes after merge
* new findOne syntax
* new find* syntax
* new find* syntax
* lint
* tsc version bump
* tsc version bump and fixed mongodb issues
* moved date fns into non dev deps
* returned oracledb dep into place
* removed lock files
* returned lock files back
* eslint upgrade
* fixing mongodb issue
* fixing mongodb issue
* test: keep junction aliases short (#8637)
Tests a fix for an issue where junction aliases (e.g. in many-to-many relations) are not unique because they are too long and thus truncated by the driver.
Closes: #8627 Related to: 76cee41
* fixing mongodb issues
* fixing sqlite test
* fixing sqlite test
* fixing sqlite test
* fixing mongodb test
* fixing entity schema tests
* fixing entity schema tests
* merged latest master
* removed driver instanceof checks
* removed function instanceof checks
* removed Object instanceof checks
* removing instanceof checks…
* fixing instanceof checks
* added InstanceChecker to remove remaining instanceof checks
* fixed failing test
* linting
* fixing failing test
* version bump
* compiler fixes
* Connection type usages replace to DataSource
* updated dev deps
* updated deps, add prettier, removed oracledb due to m1 issue
* chalk downgrade
* fixing failing test
* applied prettier formatting
* replaced eslint to prettier
* okay I think we can call it lint
* fixing linting
* fixed prettier introduced compiler bug
* fixed failing test
* prettier;
* fixed failing test
* alias shortening only for junction tables; fixed failing tests;
* changed aurora db names and reverted change of junction table name shorten algorithm
* format
* removed platform from docker compose
* made numeric parameters to not use parameters to prevent parameters number limit issue. Also enabled shorten only for junction tables
* fixing test
* fixing returning columns bugs
* fixing test
* fixed returning issue
* fixing merge conflicts
* updating documentation
* working on docs / improving api
* working on docs
* fixed isConnected issue
* re-worked commands
* commenting cli command tests for now
* commenting cli command tests for now
* removed platform
* returned Connection back
* refactor: export tree repository helper methods (#8753)
* Migrated protected tree methods to util class
* Added tree repository extend override
* Ran prettier format
* merge master into 0.3.0
Co-authored-by: Bitcollage [email protected]
* working on documentation
Co-authored-by: Bilel Taktak [email protected] Co-authored-by: Salah Azzouz [email protected] Co-authored-by: Daniel Hensby [email protected] Co-authored-by: Nebojša Cvetković [email protected] Co-authored-by: Philip Waritschlager [email protected] Co-authored-by: James Ward [email protected] Co-authored-by: Felix Gohla [email protected] Co-authored-by: Dmitry Zotov [email protected] Co-authored-by: Jimmy Chen [email protected] Co-authored-by: Bitcollage [email protected]
11 people committed
Mar 17, 2022