@asymmetrik/fhir-sanitize-param - npm Package Compare versions

Comparing version 1.1.1 to 1.1.2

CHANGELOG.md

@@ -6,2 +6,10 @@ # Change Log
 
+## [1.1.2](https://github.com/Asymmetrik/phx-tools/compare/@asymmetrik/fhir-sanitize-param@1.1.1...@asymmetrik/fhir-sanitize-param@1.1.2) (2019-05-03)
+
+**Note:** Version bump only for package @asymmetrik/fhir-sanitize-param
+
+
+
+
+
 ## [1.1.1](https://github.com/Asymmetrik/phx-tools/compare/@asymmetrik/fhir-sanitize-param@1.0.0...@asymmetrik/fhir-sanitize-param@1.1.1) (2019-04-05)
@@ -8,0 +16,0 @@

index.js

@@ -62,2 +62,16 @@ const sanitize = require('sanitize-html');
 /**
+ * @function sanitizeString
+ * @description Sanitize string values.
+ * @param field
+ * @param value
+ * @param type
+ * @returns {*}
+ */
+let sanitizeString = function({ field, value, type = 'string' }) {
+	invariant(typeof value === 'string', mismatchError({ field, type }));
+	value = validator.stripLow(xss(sanitize(value)));
+	return value;
+};
+
+/**
  * @function sanitizeBoolean
@@ -71,3 +85,4 @@ * @description Sanitize boolean values. Can only be a string saying either 'true' or 'false'.
 let sanitizeBoolean = function({ field, value, type = 'boolean' }) {
-	value = value.toLowerCase();
+	// Run the value through the string sanitization to get rid of any risky characters
+	value = sanitizeString({ field, value }).toLowerCase();
 	if (['true', 'false'].includes(value)) {
@@ -89,2 +104,4 @@ value = validator.toBoolean(value, true);
 let sanitizeDate = function({ field, value, type = 'date' }) {
+	// Run the value through the string sanitization to get rid of any risky characters
+	value = sanitizeString({ field, value });
 	let prefix;
@@ -103,2 +120,4 @@ ({ prefix, value } = splitPrefixFromValue(value));
 	if (id) {
+		// Run the value through the string sanitization to get rid of any risky characters
+		id = sanitizeString({ field: 'id', value: id });
 		id = id.replace(/[^A-Za-z0-9-.]/g, '');
@@ -119,2 +138,4 @@ id = id.length > 64 ? id.substring(0, 64) : id;
 let sanitizeNumber = function({ field, value, type = 'number' }) {
+	// Run the value through the string sanitization to get rid of any risky characters
+	value = sanitizeString({ field, value });
 	let prefix;
@@ -135,16 +156,2 @@ ({ prefix, value } = splitPrefixFromValue(value));
 /**
- * @function sanitizeString
- * @description Sanitize string values.
- * @param field
- * @param value
- * @param type
- * @returns {*}
- */
-let sanitizeString = function({ field, value, type = 'string' }) {
-	value = validator.stripLow(xss(sanitize(value)));
-	invariant(typeof value === 'string', mismatchError({ field, type }));
-	return value;
-};
-
-/**
  * @function sanitizeToken
@@ -159,4 +166,4 @@ * @description Sanitize token values.
 let sanitizeToken = function({ field, value, isBoolean, type = 'token' }) {
-	// Throw if the value is not a string, because we will not be able to make a token out of it
-	invariant(typeof value === 'string', mismatchError({ field, type }));
+	// Run the value through the string sanitization to get rid of any risky characters
+	value = sanitizeString({ field, value });
 
@@ -181,3 +188,3 @@ // Tokens have 1 or 2 parts containing codes and systems that are separated by pipes.
 	if (isBoolean) {
-		code = sanitizeBoolean({ field, value: code });
+		code = sanitizeBoolean({ field, value: code }).toString();
 	} else {
@@ -199,2 +206,4 @@ code = validator.stripLow(xss(sanitize(code)));
 let sanitizeQuantity = function({ field, value, type = 'quantity' }) {
+	// Run the value through the string sanitization to get rid of any risky characters
+	value = sanitizeString({ field, value });
 	let [number, token] = value.split(/\|(.+)/);
@@ -221,3 +230,38 @@ let prefix;
 
-//TODO maybe just have one method that takes in a value and type and sanitizes accordingly.
+/**
+ * sanitizeSearchResultParameter
+ * @param field
+ * @param value
+ * @returns {number}
+ */
+let sanitizeSearchResultParameter = function({ field, value }) {
+	// Run the value through the string sanitization to get rid of any risky characters
+	let sanitizedValue = sanitizeString({ field, value });
+	let validValues = {
+		_summary: ['true', 'text', 'data', 'count', 'false'],
+		_total: ['none', 'estimate', 'accurate'],
+		_contained: ['true', 'false', 'both'],
+		_containedType: ['container', 'contained'],
+	};
+
+	// If the parameter is '_count', make sure that it's a positive integer.
+	if (field === '_count') {
+		sanitizedValue = Number(value);
+		invariant(
+			Number.isInteger(sanitizedValue) && sanitizedValue > 0,
+			mismatchError({ field, type: 'positive integer' }),
+		);
+	}
+
+	// If it's one of the params with a limited set of valid values, make sure we have one of the valid values.
+	if (validValues[field]) {
+		invariant(
+			validValues[field].includes(sanitizedValue),
+			mismatchError({ field, type: validValues[field].toString() }),
+		);
+	}
+
+	return sanitizedValue;
+};
+
 module.exports = {
@@ -231,2 +275,3 @@ sanitizeBoolean,
 	sanitizeToken,
+	sanitizeSearchResultParameter,
 };

index.test.js

 const sanitizer = require('./index.js');
+const moment = require('moment');
 
-describe('Parameter Sanitization Tests', () => {
+describe('Standard Parameter Sanitization Tests', () => {
+	beforeAll(() => {
+		// Do this for tests only
+		moment.suppressDeprecationWarnings = true;
+	});
 	describe('Boolean', () => {
@@ -188,2 +193,22 @@ test('Should convert true string to a boolean true', () => {
 		});
+		test('Should reject a systemless and codeless token', () => {
+			const callSanitizeToken = () => {
+				sanitizer.sanitizeToken({ field: 'foo', value: '|', isBoolean: true });
+			};
+			expect(callSanitizeToken).toThrowError(
+				/Type mismatch, expected token for parameter foo/,
+			);
+		});
+		test('Should reject an invalid boolean code', () => {
+			const callSanitizeToken = () => {
+				sanitizer.sanitizeToken({
+					field: 'foo',
+					value: 'notBoolean',
+					isBoolean: true,
+				});
+			};
+			expect(callSanitizeToken).toThrowError(
+				/Type mismatch, expected boolean for parameter foo/,
+			);
+		});
 	});
@@ -290,3 +315,3 @@ describe('Quantity', () => {
 		test('Should strip out invalid characters', () => {
-			let result = sanitizer.sanitizeId('1:2_3!4*5&');
+			let result = sanitizer.sanitizeId('1:2_3!4*5');
 			expect(result).toEqual('12345');
@@ -303,2 +328,97 @@ });
 	});
+	describe('Search Parameter Sanitization Tests', () => {
+		test('Should sanitize _elements param as string', () => {
+			let input = {
+				field: '_elements',
+				value: '\b\f\nb\r\t\va\0r',
+			};
+			let result = sanitizer.sanitizeSearchResultParameter(input);
+			expect(result).toEqual('bar');
+		});
+		test('Should sanitize _include param as string', () => {
+			let input = {
+				field: '_include',
+				value: '\b\f\nb\r\t\va\0r',
+			};
+			let result = sanitizer.sanitizeSearchResultParameter(input);
+			expect(result).toEqual('bar');
+		});
+		test('Should sanitize _revinclude param as string', () => {
+			let input = {
+				field: '_revinclude',
+				value: '\b\f\nb\r\t\va\0r',
+			};
+			let result = sanitizer.sanitizeSearchResultParameter(input);
+			expect(result).toEqual('bar');
+		});
+		test('Should throw an error if _count param is not a number', () => {
+			const callSanitizeQuantity = () => {
+				sanitizer.sanitizeSearchResultParameter({
+					field: '_count',
+					value: '\b\f\nb\r\t\va\0r',
+				});
+			};
+			expect(callSanitizeQuantity).toThrowError(
+				'Type mismatch, expected positive integer for parameter _count',
+			);
+		});
+		test('Should throw an error if _count param is not positive', () => {
+			const callSanitizeQuantity = () => {
+				sanitizer.sanitizeSearchResultParameter({
+					field: '_count',
+					value: '0',
+				});
+			};
+			expect(callSanitizeQuantity).toThrowError(
+				'Type mismatch, expected positive integer for parameter _count',
+			);
+		});
+		test('Should throw an error if _count param is not an integer', () => {
+			const callSanitizeQuantity = () => {
+				sanitizer.sanitizeSearchResultParameter({
+					field: '_count',
+					value: '2.5',
+				});
+			};
+			expect(callSanitizeQuantity).toThrowError(
+				'Type mismatch, expected positive integer for parameter _count',
+			);
+		});
+		test('Should throw an error if _summary param has an invalid value', () => {
+			const callSanitizeQuantity = () => {
+				sanitizer.sanitizeSearchResultParameter({
+					field: '_summary',
+					value: 'foo',
+				});
+			};
+			expect(callSanitizeQuantity).toThrowError(/Type mismatch/);
+		});
+		test('Should throw an error if _contained param has an invalid value', () => {
+			const callSanitizeQuantity = () => {
+				sanitizer.sanitizeSearchResultParameter({
+					field: '_contained',
+					value: 'foo',
+				});
+			};
+			expect(callSanitizeQuantity).toThrowError(/Type mismatch/);
+		});
+		test('Should throw an error if _containedType param has an invalid value', () => {
+			const callSanitizeQuantity = () => {
+				sanitizer.sanitizeSearchResultParameter({
+					field: '_containedType',
+					value: 'foo',
+				});
+			};
+			expect(callSanitizeQuantity).toThrowError(/Type mismatch/);
+		});
+		test('Should throw an error if _total param has an invalid value', () => {
+			const callSanitizeQuantity = () => {
+				sanitizer.sanitizeSearchResultParameter({
+					field: '_total',
+					value: 'foo',
+				});
+			};
+			expect(callSanitizeQuantity).toThrowError(/Type mismatch/);
+		});
+	});
 });

package.json

 {
   "name": "@asymmetrik/fhir-sanitize-param",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "Sanitization tool for FHIR parameters",
@@ -25,3 +25,3 @@ "main": "index.js",
   },
-  "gitHead": "a1e9e728eeab7ed533968553b79f59d3f07b1a42"
+  "gitHead": "d5334845f7d5f5d2e00c3826016757bbfef9c4f4"
 }

No alert changes

Improved metrics

Total package byte prevSize

22965

increased by32.33%

Lines of code

665

increased by31.94%

No dependency changes