Avoid prototype-polluting assignments in local data providers

Author: WiXSL

packages/ra-data-local-forage/src/index.spec.ts

@@ -0,0 +1,48 @@
+import expect from 'expect';
+import localforage from 'localforage';
+
+import localForageDataProvider from './index';
+
+jest.mock('localforage', () => ({
+    __esModule: true,
+    default: {
+        keys: jest.fn(),
+        getItem: jest.fn(),
+        setItem: jest.fn(),
+    },
+}));
+
+describe('ra-data-local-forage', () => {
+    beforeEach(() => {
+        jest.resetAllMocks();
+        (localforage.keys as jest.Mock).mockResolvedValue([]);
+        (localforage.getItem as jest.Mock).mockResolvedValue(undefined);
+        (localforage.setItem as jest.Mock).mockResolvedValue(undefined);
+    });
+
+    it('creates missing resource collections safely', async () => {
+        const dataProvider = localForageDataProvider();
+
+        const response = await dataProvider.create('posts', {
+            data: { title: 'Hello world' },
+        } as any);
+
+        expect(response.data.title).toEqual('Hello world');
+        expect(localforage.setItem).toHaveBeenCalledWith(
+            'ra-data-local-forage-posts',
+            [expect.objectContaining({ title: 'Hello world' })]
+        );
+    });
+
+    it('rejects unsafe resource keys', async () => {
+        const dataProvider = localForageDataProvider();
+
+        await expect(
+            dataProvider.update('__proto__', {
+                id: 1,
+                data: { title: 'bad' },
+                previousData: { id: 1 },
+            } as any)
+        ).rejects.toThrow('Invalid resource key: __proto__');
+    });
+});

packages/ra-data-local-forage/src/index.ts

@@ -175,11 +175,12 @@ export default (params?: LocalForageDataProviderParams): DataProvider => {
                 throw new Error('The dataProvider is not initialized.');
             }
 
-            const index = data[resource].findIndex(
+            const resourceData = getResourceCollection(data, resource);
+            const index = resourceData.findIndex(
                 (record: { id: any }) => record.id === params.id
             );
-            data[resource][index] = {
-                ...data[resource][index],
+            resourceData[index] = {
+                ...resourceData[index],
                 ...params.data,
             };
             updateLocalForage(resource);
@@ -191,16 +192,18 @@ export default (params?: LocalForageDataProviderParams): DataProvider => {
             if (!baseDataProvider) {
                 throw new Error('The dataProvider is not initialized.');
             }
+            if (!data) {
+                throw new Error('The dataProvider is not initialized.');
+            }
+
+            const resourceData = getResourceCollection(data, resource);
 
             params.ids.forEach((id: Identifier) => {
-                if (!data) {
-                    throw new Error('The dataProvider is not initialized.');
-                }
-                const index = data[resource].findIndex(
+                const index = resourceData.findIndex(
                     (record: { id: Identifier }) => record.id === id
                 );
-                data[resource][index] = {
-                    ...data[resource][index],
+                resourceData[index] = {
+                    ...resourceData[index],
                     ...params.data,
                 };
             });
@@ -223,10 +226,11 @@ export default (params?: LocalForageDataProviderParams): DataProvider => {
                     if (!data) {
                         throw new Error('The dataProvider is not initialized.');
                     }
-                    if (!data.hasOwnProperty(resource)) {
-                        data[resource] = [];
-                    }
-                    data[resource].push(response.data);
+                    const resourceData = getOrCreateResourceCollection(
+                        data,
+                        resource
+                    );
+                    resourceData.push(response.data);
                     updateLocalForage(resource);
                     return response;
                 });
@@ -243,10 +247,11 @@ export default (params?: LocalForageDataProviderParams): DataProvider => {
             if (!data) {
                 throw new Error('The dataProvider is not initialized.');
             }
-            const index = data[resource].findIndex(
+            const resourceData = getResourceCollection(data, resource);
+            const index = resourceData.findIndex(
                 (record: { id: any }) => record.id === params.id
             );
-            pullAt(data[resource], [index]);
+            pullAt(resourceData, [index]);
             updateLocalForage(resource);
             return baseDataProvider.delete<RecordType>(resource, params);
         },
@@ -259,21 +264,48 @@ export default (params?: LocalForageDataProviderParams): DataProvider => {
             if (!data) {
                 throw new Error('The dataProvider is not initialized.');
             }
+            const resourceData = getResourceCollection(data, resource);
             const indexes = params.ids.map((id: any) => {
-                if (!data) {
-                    throw new Error('The dataProvider is not initialized.');
-                }
-                return data[resource].findIndex(
+                return resourceData.findIndex(
                     (record: any) => record.id === id
                 );
             });
-            pullAt(data[resource], indexes);
+            pullAt(resourceData, indexes);
             updateLocalForage(resource);
             return baseDataProvider.deleteMany(resource, params);
         },
     };
 };
 
+const getResourceCollection = (data: Record<string, any>, resource: string) => {
+    const resourceData = data[resource];
+
+    if (!resourceData) {
+        throw new Error(`Unknown resource key: ${resource}`);
+    }
+
+    return resourceData;
+};
+
+const getOrCreateResourceCollection = (
+    data: Record<string, any>,
+    resource: string
+) => {
+    const resourceData = data[resource];
+    if (resourceData) {
+        return resourceData;
+    }
+
+    Object.defineProperty(data, resource, {
+        value: [],
+        writable: true,
+        enumerable: true,
+        configurable: true,
+    });
+
+    return data[resource];
+};
+
 const checkResource = resource => {
     if (['__proto__', 'constructor', 'prototype'].includes(resource)) {
         // protection against prototype pollution

packages/ra-data-local-storage/src/index.spec.ts

@@ -0,0 +1,43 @@
+import expect from 'expect';
+
+import localStorageDataProvider from './index';
+
+describe('ra-data-local-storage', () => {
+    beforeEach(() => {
+        localStorage.clear();
+    });
+
+    it('creates missing resource collections safely', async () => {
+        const dataProvider = localStorageDataProvider({
+            localStorageKey: 'ra-data-local-storage-test',
+            localStorageUpdateDelay: 0,
+        });
+
+        const response = await dataProvider.create('posts', {
+            data: { title: 'Hello world' },
+        } as any);
+
+        await new Promise(resolve => setTimeout(resolve, 0));
+
+        expect(response.data.title).toEqual('Hello world');
+        expect(
+            JSON.parse(
+                localStorage.getItem('ra-data-local-storage-test') || '{}'
+            )
+        ).toMatchObject({
+            posts: [expect.objectContaining({ title: 'Hello world' })],
+        });
+    });
+
+    it('rejects unsafe resource keys', () => {
+        const dataProvider = localStorageDataProvider();
+
+        expect(() =>
+            dataProvider.update('__proto__', {
+                id: 1,
+                data: { title: 'bad' },
+                previousData: { id: 1 },
+            } as any)
+        ).toThrow('Invalid resource key: __proto__');
+    });
+});

packages/ra-data-local-storage/src/index.ts

@@ -100,11 +100,12 @@ export default (params?: LocalStorageDataProviderParams): DataProvider => {
         update: <RecordType extends RaRecord = any>(resource, params) => {
             checkResource(resource);
             updateLocalStorage(() => {
-                const index = data[resource]?.findIndex(
+                const resourceData = getResourceCollection(data, resource);
+                const index = resourceData.findIndex(
                     record => record.id == params.id
                 );
-                data[resource][index] = {
-                    ...data[resource][index],
+                resourceData[index] = {
+                    ...resourceData[index],
                     ...params.data,
                 };
             });
@@ -113,12 +114,13 @@ export default (params?: LocalStorageDataProviderParams): DataProvider => {
         updateMany: (resource, params) => {
             checkResource(resource);
             updateLocalStorage(() => {
+                const resourceData = getResourceCollection(data, resource);
                 params.ids.forEach(id => {
-                    const index = data[resource]?.findIndex(
+                    const index = resourceData.findIndex(
                         record => record.id == id
                     );
-                    data[resource][index] = {
-                        ...data[resource][index],
+                    resourceData[index] = {
+                        ...resourceData[index],
                         ...params.data,
                     };
                 });
@@ -135,37 +137,66 @@ export default (params?: LocalStorageDataProviderParams): DataProvider => {
                 .create<RecordType>(resource, params)
                 .then(response => {
                     updateLocalStorage(() => {
-                        if (!data.hasOwnProperty(resource)) {
-                            data[resource] = [];
-                        }
-                        data[resource].push(response.data);
+                        const resourceData = getOrCreateResourceCollection(
+                            data,
+                            resource
+                        );
+                        resourceData.push(response.data);
                     });
                     return response;
                 });
         },
         delete: <RecordType extends RaRecord = any>(resource, params) => {
             checkResource(resource);
             updateLocalStorage(() => {
-                const index = data[resource]?.findIndex(
+                const resourceData = getResourceCollection(data, resource);
+                const index = resourceData.findIndex(
                     record => record.id == params.id
                 );
-                pullAt(data[resource], [index]);
+                pullAt(resourceData, [index]);
             });
             return baseDataProvider.delete<RecordType>(resource, params);
         },
         deleteMany: (resource, params) => {
             checkResource(resource);
             updateLocalStorage(() => {
+                const resourceData = getResourceCollection(data, resource);
                 const indexes = params.ids.map(id =>
-                    data[resource]?.findIndex(record => record.id == id)
+                    resourceData.findIndex(record => record.id == id)
                 );
-                pullAt(data[resource], indexes);
+                pullAt(resourceData, indexes);
             });
             return baseDataProvider.deleteMany(resource, params);
         },
     };
 };
 
+const getResourceCollection = (data, resource) => {
+    const resourceData = data[resource];
+
+    if (!resourceData) {
+        throw new Error(`Unknown resource key: ${resource}`);
+    }
+
+    return resourceData;
+};
+
+const getOrCreateResourceCollection = (data, resource) => {
+    const resourceData = data[resource];
+    if (resourceData) {
+        return resourceData;
+    }
+
+    Object.defineProperty(data, resource, {
+        value: [],
+        writable: true,
+        enumerable: true,
+        configurable: true,
+    });
+
+    return data[resource];
+};
+
 const checkResource = resource => {
     if (['__proto__', 'constructor', 'prototype'].includes(resource)) {
         // protection against prototype pollution