Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Query results are replaced with values from select method #10142

Closed
jwerre opened this issue Apr 15, 2021 · 5 comments
Closed

Query results are replaced with values from select method #10142

jwerre opened this issue Apr 15, 2021 · 5 comments
Labels
confirmed-bug We've confirmed this is a bug in Mongoose and will fix it. underlying library issue This issue is a bug with an underlying library, like the MongoDB driver or mongodb-core
Milestone
5.12.6

Comments

@jwerre
Copy link

jwerre commented Apr 15, 2021
edited

Do you want to request a feature or report a bug?
Report a bug.

What is the current behavior?
When using the select method with an object and String values the result is replaced with the values from the select statement.

If the current behavior is a bug, please provide the steps to reproduce.

https://gist.github.com/jwerre/ef447dc1d60a48865c8574dff73d7a69

What is the expected behavior?
In MongoDB Version 4.2 the Gist above works fine, but if you switch to MongoDB 4.4 the query replaces the values with the select strings. In the Gist above you'll find the following behavior:

const result = await Language.find()
	.select({
		code: '1',
		name: '<script>XXS</script>',
	});

Result in MongoDB <=4.2:

[
  { _id: 6078a31fd1108558d8d72ea4, name: 'Danish', code: 'da' },
  { _id: 6078a31fd1108558d8d72ea5, name: 'Italian', code: 'it' },
  ...
]

Result in MongoDB 4.4:

[
  { _id: "6078a04ce2811e25809db186", code: '1', name: '<script>XXS</script>'' },
  { _id: "6078a04ce2811e25809db187", code: '1', name: '<script>XXS</script>'' },
  ...
]

What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
Node.js: v12.18.4
MongoDB: 4.4
Mongoose: 5.12.4
@jwerre
Copy link
Author

jwerre commented Apr 15, 2021

I just realized this is happening on the MongoDB shell as well; this doesn't have anything to do with Mongoose.

@IslandRhythms IslandRhythms added the help This issue can likely be resolved in GitHub issues. No bug fixes, features, or docs necessary label Apr 16, 2021
@jwerre
Copy link
Author

jwerre commented Apr 19, 2021

I reported this to MongoDB: https://jira.mongodb.org/browse/SERVER-56130

@vkarpov15 vkarpov15 added this to the 5.12.6 milestone Apr 23, 2021
@vkarpov15 vkarpov15 added needs repro script Maybe a bug, but no repro script. The issue reporter should create a script that demos the issue and removed help This issue can likely be resolved in GitHub issues. No bug fixes, features, or docs necessary labels Apr 23, 2021
vkarpov15 added a commit that referenced this issue Apr 26, 2021
@vkarpov15
fix(query): convert projection string values to numbers as a workarou…
97f851f 
…nd for #10142
@vkarpov15 vkarpov15 added confirmed-bug We've confirmed this is a bug in Mongoose and will fix it. underlying library issue This issue is a bug with an underlying library, like the MongoDB driver or mongodb-core and removed needs repro script Maybe a bug, but no repro script. The issue reporter should create a script that demos the issue labels Apr 26, 2021
@vkarpov15
Copy link
Collaborator

97f851 should fix this issue in Mongoose once we release v5.12.6. I'm in contact with MongoDB via email to figure out disclosure.

@Kamikadze4GAME Kamikadze4GAME mentioned this issue Apr 28, 2021
Closed
@vkarpov15 vkarpov15 mentioned this issue May 13, 2021
Closed
vkarpov15 added a commit that referenced this issue May 13, 2021
@vkarpov15
fix(query): re-enable using MongoDB 4.4 projection expressions
462963c 
Fix #10188
Re: #10205
Re: #10142
@jwerre
Copy link
Author

jwerre commented May 27, 2021
edited

This appears to be an issue that will not be fixed: https://jira.mongodb.org/browse/SERVER-57248?focusedCommentId=3844476&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-3844476

To summarize:

  • The reason behind this change is that find and aggregate projection now fully share their syntax and semantics.
  • Since projections can accept arbitrary expressions, applications must validate user input before passing it through verbatim to an MQL projection.
  • MQL injection, analogous to SQL injection, is possible. Application authors should know how to protect against it.

@vkarpov15
Copy link
Collaborator

Follow #10243 for updates. We'll be adding features to help protect against projection injections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
confirmed-bug We've confirmed this is a bug in Mongoose and will fix it. underlying library issue This issue is a bug with an underlying library, like the MongoDB driver or mongodb-core
Projects
None yet
Milestone
5.12.6
Development

No branches or pull requests
3 participants
@jwerre @vkarpov15 @IslandRhythms