fix(core): Ensure ID is a positive integer when fetching execution (#9629)

This commit is contained in:
Iván Ovejero 2024-06-05 13:05:07 +02:00 committed by GitHub
parent f94090b48c
commit 411ffbda7f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 17 additions and 0 deletions

View file

@ -8,6 +8,8 @@ import { NotFoundError } from '@/errors/response-errors/not-found.error';
import { parseRangeQuery } from './parse-range-query.middleware';
import type { User } from '@/databases/entities/User';
import type { Scope } from '@n8n/permissions';
import { isPositiveInteger } from '@/utils';
import { BadRequestError } from '@/errors/response-errors/bad-request.error';
@RestController('/executions')
export class ExecutionsController {
@ -59,6 +61,10 @@ export class ExecutionsController {
@Get('/:id')
async getOne(req: ExecutionRequest.GetOne) {
if (!isPositiveInteger(req.params.id)) {
throw new BadRequestError('Execution ID is not a number');
}
const workflowIds = await this.getAccessibleWorkflowIds(req.user, 'workflow:read');
if (workflowIds.length === 0) throw new NotFoundError('Execution not found');

View file

@ -92,3 +92,5 @@ export function rightDiff<T1, T2>(
* in switch statements or if/else chains.
*/
export const assertNever = (_value: never) => {};
export const isPositiveInteger = (maybeInt: string) => /^[1-9]\d*$/.test(maybeInt);

View file

@ -4,6 +4,7 @@ import { ExecutionsController } from '@/executions/executions.controller';
import type { ExecutionRequest, ExecutionSummaries } from '@/executions/execution.types';
import type { ExecutionService } from '@/executions/execution.service';
import type { WorkflowSharingService } from '@/workflows/workflowSharing.service';
import { BadRequestError } from '@/errors/response-errors/bad-request.error';
describe('ExecutionsController', () => {
const executionService = mock<ExecutionService>();
@ -20,6 +21,14 @@ describe('ExecutionsController', () => {
jest.clearAllMocks();
});
describe('getOne', () => {
it('should 400 when execution is not a number', async () => {
const req = mock<ExecutionRequest.GetOne>({ params: { id: 'test' } });
await expect(executionsController.getOne(req)).rejects.toThrow(BadRequestError);
});
});
describe('getMany', () => {
const NO_EXECUTIONS = { count: 0, estimated: false, results: [] };