diff --git a/apps/meteor/app/api/server/definition.ts b/apps/meteor/app/api/server/definition.ts index b9825a4f9612..acace73a8226 100644 --- a/apps/meteor/app/api/server/definition.ts +++ b/apps/meteor/app/api/server/definition.ts @@ -149,7 +149,13 @@ export type ActionThis; + /** + * @deprecated To access "fields" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable. + */ fields: Record; + /** + * @deprecated To access "query" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable. + */ query: Record; }>; } & (TOptions extends { authRequired: true } diff --git a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts index e3552afb5d50..9c088c8f31e1 100644 --- a/apps/meteor/app/api/server/helpers/parseJsonQuery.ts +++ b/apps/meteor/app/api/server/helpers/parseJsonQuery.ts @@ -15,7 +15,13 @@ const pathAllowConf = { export async function parseJsonQuery(api: PartialThis): Promise<{ sort: Record; + /** + * @deprecated To access "fields" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable. + */ fields: Record; + /** + * @deprecated To access "query" parameter, use ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS environment variable. + */ query: Record; }> { const { @@ -47,10 +53,16 @@ export async function parseJsonQuery(api: PartialThis): Promise<{ } } + // TODO: Remove this once we have all routes migrated to the new API params + const hasSupportedRoutes = ([] as string[]).includes(route); + const isUnsafeQueryParamsAllowed = process.env.ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS?.toUpperCase() === 'TRUE'; + const messageGenerator = ({ endpoint, version, parameter }: { endpoint: string; version: string; parameter: string }): string => + `The usage of the "${parameter}" parameter in endpoint "${endpoint}" breaks the security of the API and can lead to data exposure. It has been deprecated and will be removed in the version ${version}.`; + let fields: Record | undefined; - if (params.fields) { - apiDeprecationLogger.parameter(route, 'fields', '7.0.0', response); + if (params.fields && (isUnsafeQueryParamsAllowed || !hasSupportedRoutes)) { try { + apiDeprecationLogger.parameter(route, 'fields', '8.0.0', response, messageGenerator); fields = JSON.parse(params.fields) as Record; Object.entries(fields).forEach(([key, value]) => { @@ -99,9 +111,8 @@ export async function parseJsonQuery(api: PartialThis): Promise<{ } let query: Record = {}; - if (params.query) { - apiDeprecationLogger.parameter(route, 'query', '7.0.0', response); - + if (params.query && (isUnsafeQueryParamsAllowed || !hasSupportedRoutes)) { + apiDeprecationLogger.parameter(route, 'query', '8.0.0', response, messageGenerator); try { query = ejson.parse(params.query); query = clean(query, pathAllowConf.def);