fix(drizzle): sanitize query value uuid / number id NaN (#8369)

Fixes https://github.com/payloadcms/payload/issues/8347 (additionally for UUID search as well)
2024-09-23 18:35:07 +03:00
parent 338c93a229
commit dedcff0448
3 changed files with 30 additions and 0 deletions
--- a/packages/drizzle/src/queries/parseParams.ts
+++ b/packages/drizzle/src/queries/parseParams.ts
@@ -2,6 +2,7 @@ import type { SQL } from 'drizzle-orm'
 import type { Field, Operator, Where } from 'payload'

 import { and, isNotNull, isNull, ne, notInArray, or, sql } from 'drizzle-orm'
+import { PgUUID } from 'drizzle-orm/pg-core'
 import { QueryError } from 'payload'
 import { validOperators } from 'payload/shared'

@@ -194,6 +195,7 @@ export function parseParams({
                  adapter,
                  columns,
                  field,
+                  isUUID: table?.[columnName] instanceof PgUUID,
                  operator,
                  relationOrPath,
                  val,
--- a/packages/drizzle/src/queries/sanitizeQueryValue.ts
+++ b/packages/drizzle/src/queries/sanitizeQueryValue.ts
@@ -16,6 +16,7 @@ type SanitizeQueryValueArgs = {
    rawColumn: SQL<unknown>
  }[]
  field: Field | TabAsField
+  isUUID: boolean
  operator: string
  relationOrPath: string
  val: any
@@ -30,6 +31,7 @@ export const sanitizeQueryValue = ({
  adapter,
  columns,
  field,
+  isUUID,
  operator: operatorArg,
  relationOrPath,
  val,
@@ -90,6 +92,16 @@ export const sanitizeQueryValue = ({

  if (field.type === 'number' && typeof formattedValue === 'string') {
    formattedValue = Number(val)
+
+    if (Number.isNaN(formattedValue)) {
+      formattedValue = null
+    }
+  }
+
+  if (isUUID && typeof formattedValue === 'string') {
+    if (!uuidValidate(val)) {
+      formattedValue = null
+    }
  }

  if (field.type === 'date' && operator !== 'exists') {