fix(policy): reject access to undefined models (#499)

Author: ymc9

TODO.md

@@ -104,7 +104,7 @@
     - [x] Inject "on conflict do update"
     - [x] `check` function
     - [ ] Custom functions
-    - [ ] Accessing tables not in the schema
+    - [x] Accessing tables not in the schema
 - [x] Migration
 - [ ] Databases
     - [x] SQLite

packages/plugins/policy/src/policy-handler.ts

@@ -90,6 +90,8 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
 
         const { mutationModel } = this.getMutationModel(node);
 
+        this.tryRejectNonexistentModel(mutationModel);
+
         // --- Pre mutation work ---
 
         if (InsertQueryNode.is(node)) {
@@ -331,6 +333,8 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             return super.transformJoin(node);
         }
 
+        this.tryRejectNonexistentModel(table.model);
+
         // build a nested query with policy filter applied
         const filter = this.buildPolicyFilter(table.model, table.alias, 'read');
 
@@ -872,6 +876,7 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
             const extractResult = this.extractTableName(table);
             if (extractResult) {
                 const { model, alias } = extractResult;
+                this.tryRejectNonexistentModel(model);
                 const filter = this.buildPolicyFilter(model, alias, 'read');
                 return acc ? conjunction(this.dialect, [acc, filter]) : filter;
             }
@@ -1011,5 +1016,11 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         return eb.and([aQuery, bQuery]).toOperationNode();
     }
 
+    private tryRejectNonexistentModel(model: string) {
+        if (!QueryUtils.hasModel(this.client.$schema, model) && !this.isManyToManyJoinTable(model)) {
+            throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS);
+        }
+    }
+
     // #endregion
 }

tests/e2e/orm/policy/nonexistent-models.test.ts

@@ -0,0 +1,59 @@
+import { createPolicyTestClient } from '@zenstackhq/testtools';
+import { describe, expect, it } from 'vitest';
+
+describe('Policy tests for nonexistent models and fields', () => {
+    it('rejects access to nonexistent model', async () => {
+        const db = await createPolicyTestClient(
+            `
+            model Foo {
+                id String @id @default(cuid())
+                string String
+                @@allow('all', true)
+            }
+            `,
+        );
+        const dbRaw = db.$unuseAll();
+
+        // create a Bar table
+        await dbRaw.$executeRawUnsafe(
+            `CREATE TABLE "Bar" ("id" TEXT PRIMARY KEY, "string" TEXT, "fooId" TEXT, FOREIGN KEY ("fooId") REFERENCES "Foo" ("id"));`,
+        );
+
+        await dbRaw.$qb.insertInto('Foo').values({ id: '1', string: 'test' }).execute();
+        await dbRaw.$qb.insertInto('Bar').values({ id: '1', string: 'test', fooId: '1' }).execute();
+
+        expect(db.bar).toBeUndefined();
+
+        // unknown relation
+        await expect(db.foo.findFirst({ include: { bar: true } })).toBeRejectedByValidation();
+
+        // read
+        await expect(db.$qb.selectFrom('Bar').selectAll().execute()).toBeRejectedByPolicy();
+
+        // join
+        await expect(
+            db.$qb.selectFrom('Foo').innerJoin('Bar', 'Bar.fooId', 'Foo.id').selectAll().execute(),
+        ).toBeRejectedByPolicy();
+
+        // create
+        await expect(db.$qb.insertInto('Bar').values({ id: '1', string: 'test' }).execute()).toBeRejectedByPolicy();
+
+        // update
+        await expect(
+            db.$qb.updateTable('Bar').set({ string: 'updated' }).where('id', '=', '1').execute(),
+        ).toBeRejectedByPolicy();
+
+        // update with from
+        await expect(
+            db.$qb
+                .updateTable('Foo')
+                .set({ string: 'updated' })
+                .from('Bar')
+                .where('Bar.fooId', '=', 'Foo.id')
+                .execute(),
+        ).toBeRejectedByPolicy();
+
+        // delete
+        await expect(db.$qb.deleteFrom('Bar').where('id', '=', '1').execute()).toBeRejectedByPolicy();
+    });
+});