fix(permissions): fix 9 Server Action permission violations and add recursive CTE for indirect call detection
This commit is contained in:
Binary file not shown.
@@ -136,17 +136,25 @@ export function queryViolations(db: Database.Database): Violations {
|
||||
const longFiles = db
|
||||
.prepare("SELECT path, lines FROM files WHERE lines > 800 ORDER BY lines DESC")
|
||||
.all() as { path: string; lines: number }[];
|
||||
// 使用递归 CTE 识别直接或间接调用 requirePermission 的符号
|
||||
// 这样可以正确识别通过辅助函数(如 requireAiPermission)间接校验权限的 Action
|
||||
const serverActionsWithoutPerm = db
|
||||
.prepare(
|
||||
`SELECT s.name, f.path FROM symbols s
|
||||
`WITH RECURSIVE permission_callers(symbol_id) AS (
|
||||
SELECT c.caller_id
|
||||
FROM calls c
|
||||
JOIN symbols cs ON c.callee_id = cs.id
|
||||
WHERE cs.name = 'requirePermission'
|
||||
UNION
|
||||
SELECT c.caller_id
|
||||
FROM calls c
|
||||
JOIN permission_callers pc ON c.callee_id = pc.symbol_id
|
||||
)
|
||||
SELECT s.name, f.path FROM symbols s
|
||||
JOIN files f ON s.file_id = f.id
|
||||
WHERE s.is_server_action = 1
|
||||
AND s.is_public = 0
|
||||
AND NOT EXISTS (
|
||||
SELECT 1 FROM calls c
|
||||
JOIN symbols cs ON c.callee_id = cs.id
|
||||
WHERE c.caller_id = s.id AND cs.name = 'requirePermission'
|
||||
)`
|
||||
AND s.id NOT IN (SELECT symbol_id FROM permission_callers)`
|
||||
)
|
||||
.all() as { name: string; path: string }[];
|
||||
return {
|
||||
|
||||
Reference in New Issue
Block a user