From 747bb303ec3237b52d089a6423806b9c90e19a0d Mon Sep 17 00:00:00 2001 From: Finley Ge <32237950+FinleyGe@users.noreply.github.com> Date: Wed, 26 Feb 2025 18:32:19 +0800 Subject: [PATCH] chore: upgrade mongoose to v8.10.x for security (#3868) * chore: upgrade mongoose to v8.10.x for security * chore: remove duplicate code * fix: ts error --- .../service/common/file/gridfs/controller.ts | 4 +- packages/service/package.json | 2 +- .../service/support/permission/controller.ts | 2 +- .../support/permission/publish/authLink.ts | 10 ++--- .../service/support/permission/teamLimit.ts | 2 +- projects/app/src/pages/api/admin/initv481.ts | 45 +++++++++++++++++++ .../src/pages/api/support/outLink/delete.ts | 2 +- 7 files changed, 54 insertions(+), 13 deletions(-) diff --git a/packages/service/common/file/gridfs/controller.ts b/packages/service/common/file/gridfs/controller.ts index af304714c..b6480b002 100644 --- a/packages/service/common/file/gridfs/controller.ts +++ b/packages/service/common/file/gridfs/controller.ts @@ -18,10 +18,10 @@ export function getGFSCollection(bucket: `${BucketNameEnum}`) { MongoDatasetFileSchema; MongoChatFileSchema; - return connectionMongo.connection.db.collection(`${bucket}.files`); + return connectionMongo.connection.db!.collection(`${bucket}.files`); } export function getGridBucket(bucket: `${BucketNameEnum}`) { - return new connectionMongo.mongo.GridFSBucket(connectionMongo.connection.db, { + return new connectionMongo.mongo.GridFSBucket(connectionMongo.connection.db!, { bucketName: bucket, // @ts-ignore readPreference: ReadPreference.SECONDARY_PREFERRED // Read from secondary node diff --git a/packages/service/package.json b/packages/service/package.json index 3555248b3..7577c5206 100644 --- a/packages/service/package.json +++ b/packages/service/package.json @@ -24,7 +24,7 @@ "jsonwebtoken": "^9.0.2", "lodash": "^4.17.21", "mammoth": "^1.6.0", - "mongoose": "^7.0.2", + "mongoose": "^8.10.1", "multer": "1.4.5-lts.1", "next": "14.2.5", "nextjs-cors": "^2.2.0", diff --git a/packages/service/support/permission/controller.ts b/packages/service/support/permission/controller.ts index 19b7058f6..79aa9fd23 100644 --- a/packages/service/support/permission/controller.ts +++ b/packages/service/support/permission/controller.ts @@ -178,7 +178,7 @@ export const getClbsAndGroupsWithInfo = async ({ ]); export const delResourcePermissionById = (id: string) => { - return MongoResourcePermission.findByIdAndRemove(id); + return MongoResourcePermission.findByIdAndDelete(id); }; export const delResourcePermission = ({ session, diff --git a/packages/service/support/permission/publish/authLink.ts b/packages/service/support/permission/publish/authLink.ts index 7e9c4f94d..62549b432 100644 --- a/packages/service/support/permission/publish/authLink.ts +++ b/packages/service/support/permission/publish/authLink.ts @@ -1,5 +1,5 @@ import { AppDetailType } from '@fastgpt/global/core/app/type'; -import { OutlinkAppType, OutLinkSchema } from '@fastgpt/global/support/outLink/type'; +import { OutLinkSchema } from '@fastgpt/global/support/outLink/type'; import { parseHeaderCert } from '../controller'; import { MongoOutLink } from '../../outLink/schema'; import { OutLinkErrEnum } from '@fastgpt/global/common/error/code/outLink'; @@ -54,15 +54,11 @@ export async function authOutLinkCrud({ } /* outLink exist and it app exist */ -export async function authOutLinkValid({ - shareId -}: { - shareId?: string; -}) { +export async function authOutLinkValid({ shareId }: { shareId?: string }) { if (!shareId) { return Promise.reject(OutLinkErrEnum.linkUnInvalid); } - const outLinkConfig = (await MongoOutLink.findOne({ shareId }).lean()) as OutLinkSchema; + const outLinkConfig = await MongoOutLink.findOne({ shareId }).lean(); if (!outLinkConfig) { return Promise.reject(OutLinkErrEnum.linkUnInvalid); diff --git a/packages/service/support/permission/teamLimit.ts b/packages/service/support/permission/teamLimit.ts index 1a383f85b..d53e016e0 100644 --- a/packages/service/support/permission/teamLimit.ts +++ b/packages/service/support/permission/teamLimit.ts @@ -64,7 +64,7 @@ export const checkTeamDatasetLimit = async (teamId: string) => { export const checkTeamAppLimit = async (teamId: string, amount = 1) => { const [{ standardConstants }, appCount] = await Promise.all([ getTeamStandPlan({ teamId }), - MongoApp.count({ + MongoApp.countDocuments({ teamId, type: { $in: [AppTypeEnum.simple, AppTypeEnum.workflow, AppTypeEnum.plugin] } }) diff --git a/projects/app/src/pages/api/admin/initv481.ts b/projects/app/src/pages/api/admin/initv481.ts index ca370235b..b9aa4fec3 100644 --- a/projects/app/src/pages/api/admin/initv481.ts +++ b/projects/app/src/pages/api/admin/initv481.ts @@ -10,6 +10,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { // 重命名 dataset.trainigns -> dataset_trainings try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'dataset.trainings' }) .toArray(); @@ -31,6 +36,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'dataset.collections' }) .toArray(); @@ -52,6 +62,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'dataset.datas' }) .toArray(); @@ -73,6 +88,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'app.versions' }) .toArray(); @@ -94,6 +114,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'buffer.rawtexts' }) .toArray(); @@ -115,6 +140,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'buffer.tts' }) .toArray(); @@ -134,6 +164,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'team.members' }) .toArray(); @@ -155,6 +190,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'team.tags' }) .toArray(); @@ -174,6 +214,11 @@ async function handler(req: NextApiRequest, res: NextApiResponse) { } try { + if (!connectionMongo.connection.db) { + return jsonRes(res, { + message: '数据库连接失败' + }); + } const collections = await connectionMongo.connection.db .listCollections({ name: 'team.subscriptions' }) .toArray(); diff --git a/projects/app/src/pages/api/support/outLink/delete.ts b/projects/app/src/pages/api/support/outLink/delete.ts index 343678df3..e220a0c01 100644 --- a/projects/app/src/pages/api/support/outLink/delete.ts +++ b/projects/app/src/pages/api/support/outLink/delete.ts @@ -16,7 +16,7 @@ async function handler( ): Promise { const { id } = req.query; await authOutLinkCrud({ req, outLinkId: id, authToken: true, per: OwnerPermissionVal }); - await MongoOutLink.findByIdAndRemove(id); + await MongoOutLink.findByIdAndDelete(id); return {}; }