sails-hook-waterline-safe-criteria
Advanced tools
Sails hook that guards Waterline queries against undefined where-clause values and missing criteria.
Guard Sails/Waterline queries from silently matching everything when unsafe criteria slip through (e.g. undefined in a where clause or calling Model.destroy() with no filters).
Key points
meta: { allowUndefinedWhere: true } alongside your criteria.Waterline 0.15 keeps backwards compatibility by stripping undefined values from criteria. In destructive operations that turns this:
await User.destroy({ where: { status: undefined } });
into User.destroy({}) and deletes every record.
sails-hook-waterline-safe-criteria adds a guard without forking Waterline. The hook is secure by default; you can opt out globally, per model, or on individual queries when you really need the legacy behavior.
| Dependency | Requirement |
|---|---|
| Sails | ≥ 1.0.0 |
| Waterline | 0.15.x (bundled with Sails 1.x) |
| Node.js | ≥ 14 (tests run on 16+) |
The hook inspects stage-one criteria, so it works with any adapter (sails-disk, sails-mongo, sails-postgresql, custom adapters, etc.).
npm install.npm test.npm run test:adapters).npm run test:all before sending changes to cover every scenario.npm install sails-hook-waterline-safe-criteria --save
Sails auto-loads any dependency named sails-hook-*. If you prefer to be explicit (or to customize the config key) add the hook to config/hooks.js:
module.exports.hooks = {
'waterline-safe-criteria': require('sails-hook-waterline-safe-criteria')
};
| Scope | Setting | Effect |
|---|---|---|
| Global | config/models.js → rejectUndefinedWhere (default: true) | Secure-by-default. Set to false if you intentionally want legacy behavior. |
| Per model | api/models/Order.js → rejectUndefinedWhere: true | Opt in for specific models only (inherits the global default otherwise). |
| Hook defaults | config/waterline-safe-criteria.js → { enabled: false } | Optional: explicitly opt out of the default guard for the whole app. |
Legacy code paths can still opt in to the old behavior (or you can disable the guard globally by setting config.models.rejectUndefinedWhere = false). Add a meta object to your stage-one criteria when you really need to bypass the undefined check:
await Order.destroy({
where: criteria,
meta: { allowUndefinedWhere: true }
});
The guard still requires criteria to exist, but it ignores undefined values when that meta flag is present. The original meta object is reattached to Waterline’s Deferred so adapter-level features (.meta({ fetch: true }), etc.) keep working.
After sails-hook-orm loads, the hook wraps these helpers on every guarded model:
find, findOne, destroy, destroyOne, update, updateOne, count, sum, avg
Each call goes through the following checks:
Model.destroy() / Model.update()).undefined inside the where clause—including nested and/or/in structures—is rejected.If an unsafe pattern is detected the guard throws a flaverr with code E_UNDEFINED_WHERE. Example messages:
Unsafe DESTROY on `user` would hit every record. Pass an explicit WHERE or include `meta: { allowUndefinedWhere: true }` to bypass intentionally.
Unsafe UPDATE on `order` detected undefined inside WHERE clause. Undefined values cause Waterline to remove predicates and match everything. Scrub the criteria first, or bypass with `meta: { allowUndefinedWhere: true }`.
rejectUndefinedWhere globally and run your test suite. Any unsafe queries now fail early.meta: { allowUndefinedWhere: true } where the behavior is desired.rejectUndefinedWhere: false) while protecting everything else.Model.find(7) or Model.destroy([1,2])).meta: { allowUndefinedWhere: true } to bypass only the undefined-value check..meta, .fetch) intact.// Before (legacy behavior wipes everything)
await User.destroy({ where: { status: undefined } });
// After enabling the hook (throws E_UNDEFINED_WHERE)
await User.destroy({ where: { status: undefined } });
// If you really need the legacy behavior:
await User.destroy({ where: { status: undefined }, meta: { allowUndefinedWhere: true } });
Run the core unit + integration suite:
npm test
Adapter coverage (MySQL, PostgreSQL, MongoDB) lives in a separate job because it depends on Docker:
npm run test:adapters
For everything at once, use:
npm run test:all
The suites verify the guard on every Waterline helper, nested criteria detection, meta bypass behavior, and three integration scenarios (guarded app, baseline app, per-model configuration). The adapter matrix re-runs the critical happy/sad paths against real adapters.
A docker-compose file is included for local adapter testing, and the helper script bootstraps/tears down everything automatically:
npm run test:adapters
Under the hood the script starts the compose stack, waits for each service to be ready, exports the expected connection strings, runs the adapter spec, and shuts everything down. Nothing to configure.
Tip:
npm run test:allchains the full suite.npm run test:adapters:rawruns just the adapter spec when you already have databases running.
| Variable | Description |
|---|---|
TEST_MYSQL_URL | Override MySQL connection string (defaults to compose stack). |
TEST_POSTGRES_URL | Override PostgreSQL connection string (defaults to compose stack). |
TEST_MONGO_URL | Override Mongo connection string (defaults to compose stack). |
allowUndefinedWhere bypasses undefined checks but not the “criteria required” rule.MIT © Luis Lobo Borobia
FAQs
Sails hook that guards Waterline queries against undefined where-clause values and missing criteria.
The npm package sails-hook-waterline-safe-criteria receives a total of 10 weekly downloads. As such, sails-hook-waterline-safe-criteria popularity was classified as not popular.
We found that sails-hook-waterline-safe-criteria demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ruby's creator Matz assumes control of RubyGems and Bundler repositories while former maintainers agree to step back and transfer all rights to end the dispute.
Research
/Security News
Socket researchers found 10 typosquatted npm packages that auto-run on install, show fake CAPTCHAs, fingerprint by IP, and deploy a credential stealer.
Product
Socket Firewall Enterprise is now available with flexible deployment, configurable policies, and expanded language support.