fix(drizzle): sanitize query value uuid / number id NaN (#8369)

Fixes https://github.com/payloadcms/payload/issues/8347 (additionally for UUID search as well)
2024-09-23 18:35:07 +03:00
parent 338c93a229
commit dedcff0448
3 changed files with 30 additions and 0 deletions
--- a/packages/drizzle/src/queries/parseParams.ts
+++ b/packages/drizzle/src/queries/parseParams.ts
@@ -2,6 +2,7 @@ import type { SQL } from 'drizzle-orm'
 import type { Field, Operator, Where } from 'payload'

 import { and, isNotNull, isNull, ne, notInArray, or, sql } from 'drizzle-orm'
+import { PgUUID } from 'drizzle-orm/pg-core'
 import { QueryError } from 'payload'
 import { validOperators } from 'payload/shared'

@@ -194,6 +195,7 @@ export function parseParams({
                  adapter,
                  columns,
                  field,
+                  isUUID: table?.[columnName] instanceof PgUUID,
                  operator,
                  relationOrPath,
                  val,
--- a/packages/drizzle/src/queries/sanitizeQueryValue.ts
+++ b/packages/drizzle/src/queries/sanitizeQueryValue.ts
@@ -16,6 +16,7 @@ type SanitizeQueryValueArgs = {
    rawColumn: SQL<unknown>
  }[]
  field: Field | TabAsField
+  isUUID: boolean
  operator: string
  relationOrPath: string
  val: any
@@ -30,6 +31,7 @@ export const sanitizeQueryValue = ({
  adapter,
  columns,
  field,
+  isUUID,
  operator: operatorArg,
  relationOrPath,
  val,
@@ -90,6 +92,16 @@ export const sanitizeQueryValue = ({

  if (field.type === 'number' && typeof formattedValue === 'string') {
    formattedValue = Number(val)
+
+    if (Number.isNaN(formattedValue)) {
+      formattedValue = null
+    }
+  }
+
+  if (isUUID && typeof formattedValue === 'string') {
+    if (!uuidValidate(val)) {
+      formattedValue = null
+    }
  }

  if (field.type === 'date' && operator !== 'exists') {
--- a/test/collections-rest/int.spec.ts
+++ b/test/collections-rest/int.spec.ts
@@ -934,6 +934,22 @@ describe('collections-rest', () => {
        expect(result.totalDocs).toEqual(1)
      })

+      it('like - id should not crash', async () => {
+        const post = await createPost({ title: 'post' })
+
+        const response = await restClient.GET(`/${slug}`, {
+          query: {
+            where: {
+              id: {
+                like: 'words partial',
+              },
+            },
+          },
+        })
+
+        expect(response.status).toEqual(200)
+      })
+
      it('exists - true', async () => {
        const postWithDesc = await createPost({ description: 'exists' })
        await createPost({ description: undefined })