REST API does not work when ENABLE_ALLOWLIST = 1 #52
Description
Describe the bug
When the user opts into the allowlist feature via changing their wrangler variable to ENABLE_ALLOWLIST = 1, deploys, and then tries to access any of the REST API endpoints - those calls fail. This is mainly due to the REST API now being blocked by the allowlist when it tries to make SQL calls to get the tables primary key values such as:
PRAGMA table_info(${tableName});We need to find a way to allow the REST API to continue to work even when the Allowlist feature is toggled on. How can we easily add (or bypass optionally via a configuration toggle) to allow whatever query the LiteREST.ts file produces to be executed?
For example one way to "band-aid" this (but bad, not acceptable solution) is by adding the following code to line 40 of ./allowlist/index.ts
if (sql.trim().match(/^PRAGMA\s+table_info\s*\(\s*['"`]?([a-zA-Z0-9_]+)['"`]?\s*\)\s*;?\s*$/i)) {
return true;
}Which works for the SQLite internal source only but could be a loophole for other users to request PRAGMA information on tables when they shouldn't be able to. This requires a more suitable resolution that doesn't open up access to the databases.
To Reproduce
Steps to reproduce the behavior:
- Change your wrangler.toml variable to
ENABLE_ALLOWLIST = 1 - Deploy your instance
- Try to make a REST API call such as the below cURL
- See error message response instead of expected rows from
my_table
curl --location --request GET 'https://starbasedb.MY-IDENTIFIER.workers.dev/rest/main/my_table' \
--header 'Authorization: Bearer DEF456' \
Expected behavior
Expected to see the results that the REST endpoint should return. For example, if we make a GET call to a table named todos then I would expect a result containing an array of todo item rows from my database table to be represented.