@asymmetrik/fhir-sanitize-param
Advanced tools
Comparing version 1.1.1 to 1.1.2
@@ -6,2 +6,10 @@ # Change Log | ||
## [1.1.2](https://github.com/Asymmetrik/phx-tools/compare/@asymmetrik/fhir-sanitize-param@1.1.1...@asymmetrik/fhir-sanitize-param@1.1.2) (2019-05-03) | ||
**Note:** Version bump only for package @asymmetrik/fhir-sanitize-param | ||
## [1.1.1](https://github.com/Asymmetrik/phx-tools/compare/@asymmetrik/fhir-sanitize-param@1.0.0...@asymmetrik/fhir-sanitize-param@1.1.1) (2019-04-05) | ||
@@ -8,0 +16,0 @@ |
83
index.js
@@ -62,2 +62,16 @@ const sanitize = require('sanitize-html'); | ||
/** | ||
* @function sanitizeString | ||
* @description Sanitize string values. | ||
* @param field | ||
* @param value | ||
* @param type | ||
* @returns {*} | ||
*/ | ||
let sanitizeString = function({ field, value, type = 'string' }) { | ||
invariant(typeof value === 'string', mismatchError({ field, type })); | ||
value = validator.stripLow(xss(sanitize(value))); | ||
return value; | ||
}; | ||
/** | ||
* @function sanitizeBoolean | ||
@@ -71,3 +85,4 @@ * @description Sanitize boolean values. Can only be a string saying either 'true' or 'false'. | ||
let sanitizeBoolean = function({ field, value, type = 'boolean' }) { | ||
value = value.toLowerCase(); | ||
// Run the value through the string sanitization to get rid of any risky characters | ||
value = sanitizeString({ field, value }).toLowerCase(); | ||
if (['true', 'false'].includes(value)) { | ||
@@ -89,2 +104,4 @@ value = validator.toBoolean(value, true); | ||
let sanitizeDate = function({ field, value, type = 'date' }) { | ||
// Run the value through the string sanitization to get rid of any risky characters | ||
value = sanitizeString({ field, value }); | ||
let prefix; | ||
@@ -103,2 +120,4 @@ ({ prefix, value } = splitPrefixFromValue(value)); | ||
if (id) { | ||
// Run the value through the string sanitization to get rid of any risky characters | ||
id = sanitizeString({ field: 'id', value: id }); | ||
id = id.replace(/[^A-Za-z0-9-.]/g, ''); | ||
@@ -119,2 +138,4 @@ id = id.length > 64 ? id.substring(0, 64) : id; | ||
let sanitizeNumber = function({ field, value, type = 'number' }) { | ||
// Run the value through the string sanitization to get rid of any risky characters | ||
value = sanitizeString({ field, value }); | ||
let prefix; | ||
@@ -135,16 +156,2 @@ ({ prefix, value } = splitPrefixFromValue(value)); | ||
/** | ||
* @function sanitizeString | ||
* @description Sanitize string values. | ||
* @param field | ||
* @param value | ||
* @param type | ||
* @returns {*} | ||
*/ | ||
let sanitizeString = function({ field, value, type = 'string' }) { | ||
value = validator.stripLow(xss(sanitize(value))); | ||
invariant(typeof value === 'string', mismatchError({ field, type })); | ||
return value; | ||
}; | ||
/** | ||
* @function sanitizeToken | ||
@@ -159,4 +166,4 @@ * @description Sanitize token values. | ||
let sanitizeToken = function({ field, value, isBoolean, type = 'token' }) { | ||
// Throw if the value is not a string, because we will not be able to make a token out of it | ||
invariant(typeof value === 'string', mismatchError({ field, type })); | ||
// Run the value through the string sanitization to get rid of any risky characters | ||
value = sanitizeString({ field, value }); | ||
@@ -181,3 +188,3 @@ // Tokens have 1 or 2 parts containing codes and systems that are separated by pipes. | ||
if (isBoolean) { | ||
code = sanitizeBoolean({ field, value: code }); | ||
code = sanitizeBoolean({ field, value: code }).toString(); | ||
} else { | ||
@@ -199,2 +206,4 @@ code = validator.stripLow(xss(sanitize(code))); | ||
let sanitizeQuantity = function({ field, value, type = 'quantity' }) { | ||
// Run the value through the string sanitization to get rid of any risky characters | ||
value = sanitizeString({ field, value }); | ||
let [number, token] = value.split(/\|(.+)/); | ||
@@ -221,3 +230,38 @@ let prefix; | ||
//TODO maybe just have one method that takes in a value and type and sanitizes accordingly. | ||
/** | ||
* sanitizeSearchResultParameter | ||
* @param field | ||
* @param value | ||
* @returns {number} | ||
*/ | ||
let sanitizeSearchResultParameter = function({ field, value }) { | ||
// Run the value through the string sanitization to get rid of any risky characters | ||
let sanitizedValue = sanitizeString({ field, value }); | ||
let validValues = { | ||
_summary: ['true', 'text', 'data', 'count', 'false'], | ||
_total: ['none', 'estimate', 'accurate'], | ||
_contained: ['true', 'false', 'both'], | ||
_containedType: ['container', 'contained'], | ||
}; | ||
// If the parameter is '_count', make sure that it's a positive integer. | ||
if (field === '_count') { | ||
sanitizedValue = Number(value); | ||
invariant( | ||
Number.isInteger(sanitizedValue) && sanitizedValue > 0, | ||
mismatchError({ field, type: 'positive integer' }), | ||
); | ||
} | ||
// If it's one of the params with a limited set of valid values, make sure we have one of the valid values. | ||
if (validValues[field]) { | ||
invariant( | ||
validValues[field].includes(sanitizedValue), | ||
mismatchError({ field, type: validValues[field].toString() }), | ||
); | ||
} | ||
return sanitizedValue; | ||
}; | ||
module.exports = { | ||
@@ -231,2 +275,3 @@ sanitizeBoolean, | ||
sanitizeToken, | ||
sanitizeSearchResultParameter, | ||
}; |
const sanitizer = require('./index.js'); | ||
const moment = require('moment'); | ||
describe('Parameter Sanitization Tests', () => { | ||
describe('Standard Parameter Sanitization Tests', () => { | ||
beforeAll(() => { | ||
// Do this for tests only | ||
moment.suppressDeprecationWarnings = true; | ||
}); | ||
describe('Boolean', () => { | ||
@@ -188,2 +193,22 @@ test('Should convert true string to a boolean true', () => { | ||
}); | ||
test('Should reject a systemless and codeless token', () => { | ||
const callSanitizeToken = () => { | ||
sanitizer.sanitizeToken({ field: 'foo', value: '|', isBoolean: true }); | ||
}; | ||
expect(callSanitizeToken).toThrowError( | ||
/Type mismatch, expected token for parameter foo/, | ||
); | ||
}); | ||
test('Should reject an invalid boolean code', () => { | ||
const callSanitizeToken = () => { | ||
sanitizer.sanitizeToken({ | ||
field: 'foo', | ||
value: 'notBoolean', | ||
isBoolean: true, | ||
}); | ||
}; | ||
expect(callSanitizeToken).toThrowError( | ||
/Type mismatch, expected boolean for parameter foo/, | ||
); | ||
}); | ||
}); | ||
@@ -290,3 +315,3 @@ describe('Quantity', () => { | ||
test('Should strip out invalid characters', () => { | ||
let result = sanitizer.sanitizeId('1:2_3!4*5&'); | ||
let result = sanitizer.sanitizeId('1:2_3!4*5'); | ||
expect(result).toEqual('12345'); | ||
@@ -303,2 +328,97 @@ }); | ||
}); | ||
describe('Search Parameter Sanitization Tests', () => { | ||
test('Should sanitize _elements param as string', () => { | ||
let input = { | ||
field: '_elements', | ||
value: '\b\f\nb\r\t\va\0r', | ||
}; | ||
let result = sanitizer.sanitizeSearchResultParameter(input); | ||
expect(result).toEqual('bar'); | ||
}); | ||
test('Should sanitize _include param as string', () => { | ||
let input = { | ||
field: '_include', | ||
value: '\b\f\nb\r\t\va\0r', | ||
}; | ||
let result = sanitizer.sanitizeSearchResultParameter(input); | ||
expect(result).toEqual('bar'); | ||
}); | ||
test('Should sanitize _revinclude param as string', () => { | ||
let input = { | ||
field: '_revinclude', | ||
value: '\b\f\nb\r\t\va\0r', | ||
}; | ||
let result = sanitizer.sanitizeSearchResultParameter(input); | ||
expect(result).toEqual('bar'); | ||
}); | ||
test('Should throw an error if _count param is not a number', () => { | ||
const callSanitizeQuantity = () => { | ||
sanitizer.sanitizeSearchResultParameter({ | ||
field: '_count', | ||
value: '\b\f\nb\r\t\va\0r', | ||
}); | ||
}; | ||
expect(callSanitizeQuantity).toThrowError( | ||
'Type mismatch, expected positive integer for parameter _count', | ||
); | ||
}); | ||
test('Should throw an error if _count param is not positive', () => { | ||
const callSanitizeQuantity = () => { | ||
sanitizer.sanitizeSearchResultParameter({ | ||
field: '_count', | ||
value: '0', | ||
}); | ||
}; | ||
expect(callSanitizeQuantity).toThrowError( | ||
'Type mismatch, expected positive integer for parameter _count', | ||
); | ||
}); | ||
test('Should throw an error if _count param is not an integer', () => { | ||
const callSanitizeQuantity = () => { | ||
sanitizer.sanitizeSearchResultParameter({ | ||
field: '_count', | ||
value: '2.5', | ||
}); | ||
}; | ||
expect(callSanitizeQuantity).toThrowError( | ||
'Type mismatch, expected positive integer for parameter _count', | ||
); | ||
}); | ||
test('Should throw an error if _summary param has an invalid value', () => { | ||
const callSanitizeQuantity = () => { | ||
sanitizer.sanitizeSearchResultParameter({ | ||
field: '_summary', | ||
value: 'foo', | ||
}); | ||
}; | ||
expect(callSanitizeQuantity).toThrowError(/Type mismatch/); | ||
}); | ||
test('Should throw an error if _contained param has an invalid value', () => { | ||
const callSanitizeQuantity = () => { | ||
sanitizer.sanitizeSearchResultParameter({ | ||
field: '_contained', | ||
value: 'foo', | ||
}); | ||
}; | ||
expect(callSanitizeQuantity).toThrowError(/Type mismatch/); | ||
}); | ||
test('Should throw an error if _containedType param has an invalid value', () => { | ||
const callSanitizeQuantity = () => { | ||
sanitizer.sanitizeSearchResultParameter({ | ||
field: '_containedType', | ||
value: 'foo', | ||
}); | ||
}; | ||
expect(callSanitizeQuantity).toThrowError(/Type mismatch/); | ||
}); | ||
test('Should throw an error if _total param has an invalid value', () => { | ||
const callSanitizeQuantity = () => { | ||
sanitizer.sanitizeSearchResultParameter({ | ||
field: '_total', | ||
value: 'foo', | ||
}); | ||
}; | ||
expect(callSanitizeQuantity).toThrowError(/Type mismatch/); | ||
}); | ||
}); | ||
}); |
{ | ||
"name": "@asymmetrik/fhir-sanitize-param", | ||
"version": "1.1.1", | ||
"version": "1.1.2", | ||
"description": "Sanitization tool for FHIR parameters", | ||
@@ -25,3 +25,3 @@ "main": "index.js", | ||
}, | ||
"gitHead": "a1e9e728eeab7ed533968553b79f59d3f07b1a42" | ||
"gitHead": "d5334845f7d5f5d2e00c3826016757bbfef9c4f4" | ||
} |
22965
665