From 9c72651804b1212343ce80da160a2db0185894d9 Mon Sep 17 00:00:00 2001 From: Book Pauk Date: Wed, 5 Oct 2022 14:59:17 +0700 Subject: [PATCH] =?UTF-8?q?=D0=92=20cli=20=D0=B4=D0=BE=D0=B1=D0=B0=D0=B2?= =?UTF-8?q?=D0=BB=D0=B5=D0=BD=20=D0=BF=D0=B0=D1=80=D0=B0=D0=BC=D0=B5=D1=82?= =?UTF-8?q?=D1=80=20'unsafe-filter'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- server/core/DbCreator.js | 8 ++++++-- server/index.js | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/server/core/DbCreator.js b/server/core/DbCreator.js index 58cf44a..8323721 100644 --- a/server/core/DbCreator.js +++ b/server/core/DbCreator.js @@ -76,8 +76,12 @@ class DbCreator { if (inpxFilter) { let recFilter = () => true; - if (inpxFilter.filter) - recFilter = new Function(`'use strict'; return ${inpxFilter.filter}`)(); + if (inpxFilter.filter) { + if (config.allowUnsafeFilter) + recFilter = new Function(`'use strict'; return ${inpxFilter.filter}`)(); + else + throw new Error(`Unsafe property 'filter' detected in ${this.config.inpxFilterFile}. Please specify '--unsafe-filter' param if you know what you're doing.`); + } filter = (rec) => { let author = rec.author; diff --git a/server/index.js b/server/index.js index c3023c9..53d1ba1 100644 --- a/server/index.js +++ b/server/index.js @@ -104,6 +104,7 @@ async function init() { config.recreateDb = argv.recreate || false; config.inpxFilterFile = `${config.execDir}/inpx-web-filter.json`; + config.allowUnsafeFilter = argv['unsafe-filter'] || false; //app const appDir = `${config.publicDir}/app`;