From 1b8df17a55649fd417bd65fb34118c4016a551d3 Mon Sep 17 00:00:00 2001
From: stack72 <public@paulstack.co.uk>
Date: Wed, 19 Jun 2024 22:50:13 +0100
Subject: [PATCH] fix(dal, web): Ensure attribute functions can't set incorrect
 output locations

Without this, people can set root or root/secrets - which is the dangerous props people can set

We now made it:

/root/resource_value/*
/root/domain/*
/root/si/name
/root/si/color
---
 app/web/src/store/func/funcs.store.ts | 20 +++++++++++---------
 app/web/src/store/func/types.ts       |  1 +
 lib/dal/src/input_sources.rs          | 11 ++++++++++-
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/app/web/src/store/func/funcs.store.ts b/app/web/src/store/func/funcs.store.ts
index f9ba80de8a..b8ea0acc48 100644
--- a/app/web/src/store/func/funcs.store.ts
+++ b/app/web/src/store/func/funcs.store.ts
@@ -277,16 +277,18 @@ export const useFuncStore = () => {
             (schemaVariantId === nilId()
               ? _.flatten(Object.values(this.inputSourceProps))
               : this.inputSourceProps[schemaVariantId]
-            )?.map((prop) => {
-              const label = this.propIdToSourceName(prop.propId) ?? "none";
-              return {
-                label,
-                value: {
+            )
+              ?.filter((p) => p.eligibleForOutput)
+              .map((prop) => {
+                const label = this.propIdToSourceName(prop.propId) ?? "none";
+                return {
                   label,
-                  propId: prop.propId,
-                },
-              };
-            }) ?? [];
+                  value: {
+                    label,
+                    propId: prop.propId,
+                  },
+                };
+              }) ?? [];
 
           const socketOptions =
             (schemaVariantId === nilId()
diff --git a/app/web/src/store/func/types.ts b/app/web/src/store/func/types.ts
index aa27c6b037..7263cb5b00 100644
--- a/app/web/src/store/func/types.ts
+++ b/app/web/src/store/func/types.ts
@@ -79,6 +79,7 @@ export interface InputSourceProp {
   schemaVariantId: string;
   path: string;
   name: string;
+  eligibleForOutput: boolean;
 }
 
 export interface OutputLocationProp {
diff --git a/lib/dal/src/input_sources.rs b/lib/dal/src/input_sources.rs
index c9c9a91624..7272170278 100644
--- a/lib/dal/src/input_sources.rs
+++ b/lib/dal/src/input_sources.rs
@@ -51,6 +51,7 @@ pub struct InputSourceProp {
     pub kind: PropKind,
     pub name: String,
     pub path: String,
+    pub eligible_for_output: bool,
 }
 
 #[derive(Deserialize, Serialize, Debug)]
@@ -151,12 +152,20 @@ impl InputSources {
                 work_queue.extend(Prop::direct_child_props_ordered(ctx, prop.id).await?);
             }
 
+            let path = prop.path(ctx).await?.with_replaced_sep_and_prefix("/");
+
+            let eligible_for_output = path == "/root/resource_value"
+                || path == "/root/si/color"
+                || path.starts_with("/root/domain/")
+                || path.starts_with("/root/resource_value/");
+
             input_socket_props.push(InputSourceProp {
                 schema_variant_id,
                 prop_id: prop.id,
                 kind: prop.kind,
                 name: prop.name.to_owned(),
-                path: prop.path(ctx).await?.with_replaced_sep_and_prefix("/"),
+                path,
+                eligible_for_output,
             })
         }