More security updates

src/app.controller.post.ts

@@ -28,7 +28,8 @@ export class PostController {
 	@Post('/login')
 	signIn(@Body() signInDto: Record<string, any>) {
 		const username = this.request.escapeText(signInDto.username)
-		return this.loginService.signIn(username, signInDto.password)
+		const password = this.request.text(signInDto.password)
+		return this.loginService.signIn(username, password)
 	}
 
 	/**
@@ -38,7 +39,7 @@ export class PostController {
 	@Post('*/')
 	async createOne(@Req() req, @Res() res): Promise<FindOneResponseObject> {
 		const table_name = UrlToTable(req.originalUrl, 1)
-		const body = this.request.escapeObject(req.body)
+		const body = req.body
 
 		let schema: DatabaseSchema
 

src/app.controller.put.ts

@@ -27,7 +27,7 @@ export class PutController {
 	async updateById(@Req() req, @Res() res): Promise<FindOneResponseObject> {
 		const table_name = UrlToTable(req.originalUrl, 1)
 		const id = this.request.escapeText(req.params.id)
-		const body = this.request.escapeObject(req.body)
+		const body = req.body
 
 		let schema: DatabaseSchema
 

src/databases/mysql.database.ts

@@ -402,7 +402,7 @@ export class MySQL {
 		}
 
 		if (where?.length) {
-			command += `WHERE ${where.map(w => `${w.column.includes('.') ? w.column : table_name + '.' + w.column} ${w.operator === WhereOperator.search ? 'LIKE' : w.operator} ${w.value ? `'` + (w.operator === WhereOperator.search ? '%' : '') + w.value + (w.operator === WhereOperator.search ? '%' : '') + `'` : ''}`).join(' AND ')} `
+			command += `WHERE ${where.map(w => `${w.column.includes('.') ? w.column : table_name + '.' + w.column} ${w.operator === WhereOperator.search ? 'LIKE' : w.operator} ${w.value ? (w.operator === WhereOperator.search ? '%' : '') + w.value + (w.operator === WhereOperator.search ? '%' : '') : ''}`).join(' AND ')} `
 		}
 
 		return command

src/helpers/Authentication.ts

@@ -7,6 +7,7 @@ import { Auth, AuthAPIKey, AuthLocation, AuthRestrictionsResponse, AuthType } fr
 import { DatabaseSchema, QueryPerform, WhereOperator } from '../types/database.types'
 import { Logger } from './Logger'
 import { Query } from './Query'
+import { Request } from './Request'
 import { Schema } from './Schema'
 
 @Injectable()
@@ -15,6 +16,7 @@ export class Authentication {
 		private readonly configService: ConfigService,
 		private readonly logger: Logger,
 		private readonly query: Query,
+		private readonly request: Request,
 		private readonly schema: Schema,
 		private readonly jwtService: JwtService,
 	) {}
@@ -221,7 +223,7 @@ export class Authentication {
 							{
 								column: api_key_config.column,
 								operator: WhereOperator.equals,
-								value: req_api_key,
+								value: this.request.escapeText(req_api_key),
 							},
 						],
 						joins: true,

src/helpers/Request.ts

@@ -1,5 +1,6 @@
 import { Injectable } from '@nestjs/common'
 import * as sqlstring from 'sqlstring'
+import * as escape from 'escape-html'
 
 @Injectable()
 export class Request {
@@ -9,18 +10,12 @@ export class Request {
      * Pipes a request whilst sanitizing it
      */
 
-    escapeText(string: string): string {
-        return sqlstring.escape(string)
+    text(string: string): string {
+        return escape(string)
     }
 
-    escapeObject(object: Record<string, any>): Record<string, any> {
-        const new_object = {}
-
-        for (const key in object) {
-            new_object[key] = this.escapeText(object[key])
-        }
-
-        return new_object
+    escapeText(string: string): string {
+        return sqlstring.escape(string)
     }
 
 }