Update dependency loopback-connector-mongodb to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
loopback-connector-mongodb	^1.11.3 -> ^3.6.0

GitHub Vulnerability Alerts

GHSA-m734-r4g6-34f9

Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection.

MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).

A proof of concept malicious query:

GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}

The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word Hello.

Recommendation

Update to version 3.6.0 or later.

GHSA-hxwc-5vw9-2w4w

Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak.

Recommendation

Upgrade to version 3.6.0 or later.

---

Release Notes

loopbackio/loopback-connector-mongodb

v3.6.0

Compare Source

=========================

• docs: update with security consideration section (virkt25)

• fix: sanitize query by default (virkt25)

• change count to countDocuments (Rahmat Nugraha)

• add useNewUrlParser on validOptionNames (Rahmat Nugraha)

• Dedicated Model for testing disableDefaultSort (HugoPoi)

• Add disableDefaultSort in README (HugoPoi)

• Add settings disableDefaultSort for find method (HugoPoi)

v3.5.0

Compare Source

=========================

• chore: drop node 4 and update deps (Taranveer Virk)

• [WebFM] cs/pl/ru translation (candytangnb)

v3.4.4

Compare Source

=========================

• Fields projection fix (#​436) (John Gonyo)

v3.4.3

Compare Source

=========================

• update bson version (Diana Lau)

v3.4.2

Compare Source

=========================

• chore:update CODEOWNERS (Diana Lau)

• Prioritize db url (Dimitris)

• CODEOWNERS: add nitro404 (Miroslav Bajtoš)

v3.4.1

Compare Source

=========================

• fix: allow db name to be parsed from url (Raymond Feng)

v3.4.0

Compare Source

=========================

• upgrade to mongodb driver 3.x (Raymond Feng)

• Alias find as findById (jannyHou)

v3.3.1

Compare Source

=========================

• Switch to bson.ObjectID (#​401) (Kevin Delisle)

• chore: update license (Diana Lau)

v3.3.0

Compare Source

=========================

• update strong-globalize to 3.1.0 (shimks)

• Create Issue and PR Templates (#​386) (Sakib Hasan)

• Use stalebot on this repo (#​383) (Kevin Delisle)

• Use stalebot on this repo (Kevin Delisle)

• Add CODEOWNER file (Diana Lau)

v3.2.1

Compare Source

=========================

• Apply feedback (ssh24)

• Add docs on lazyConnect flag (ssh24)

v3.2.0

Compare Source

=========================

• Remove the hard-coded writeConcern (Raymond Feng)

• Document strictObjectIDCorecion flag (Loay)

• Allow different forms of regexp on like/nlike op (ssh24)

• Require init on mocha args (ssh24)

• Use buildSort function to sort (ssh24)

• Add docker setup (#​373) (Sakib Hasan)

• test: use mongodb-3.2 on Travis (#​369) (Ryan Graham)

v3.1.0

Compare Source

=========================

• Update connector version (#​368) (Sakib Hasan)

• Replicate issue_template from loopback repo (#​350) (siddhipai)

• Fix buildNearFilter to work with any key depth (#​322) (Corentin H)

• Fix Update when id not found (Loay)

• Add additional envs for node v4/v6 (#​365) (Sakib Hasan)

• Update node version (ssh24)

• Reconnect on execute after disconnect (#​362) (phairow)

• update the near query with minDistance test (#​361) (Vincent Wen)

• Fix lazy connect (#​360) (phairow)

• Export the additional functions (#​353) (James Cooke)

• Mongo 3.4 Support/Delete index ‘kind’ property from index options (#​335) (Dylan Lundy)

• Update README.md (Rand McKinney)

v3.0.1

Compare Source

=========================

• Remove invalid options (jannyHou)

• Add nestedProperty to connectorCapabilities (jannyHou)

• Update README.md (Rand McKinney)

• add info on url override (ivy ho)

• add link for loopback types to mongodb (ivy ho)

• replace MySQL with MongodDB (ivy ho)

• Update Readme with Properties (ivy ho)

• update lB connector version (Loay)

• Fix replaceById to report err when id not found (Loay Gewily)

v3.0.0

Compare Source

=========================

• Delete extraneous id for replacById (Amir Jafarian)

• Update paid support URL (Siddhi Pai)

• Start 3.x + drop support for Node v0.10/v0.12 (siddhipai)

• Drop support for Node v0.10 and v0.12 (Siddhi Pai)

• Start the development of the next major version (Siddhi Pai)

• Update mongodb version (jannyHou)

• Update README with correct doc links, etc (Amir Jafarian)

• Ensure inq/nin use array cond value (Fabien Franzen)

• More ObjectID vs. String handling improvements (Fabien Franzen)

• Test returned info for #destroy (Fabien Franzen)

• Test fix for #​253 (Fabien Franzen)

• Fix Copyright, use process.nextTick (Fabien Franzen)

• Fix all sorts of issues... (Fabien Franzen)

• Column renaming should be done before extended ops (Ian Zepp)

• Added support for renaming columns (Ian Zepp)

v1.18.1

Compare Source

v1.18.0

Compare Source

v1.17.0

Compare Source

==========================

• Remove TEST prefix for env vars (#​292) (Simon Ho)

• Add connectorCapabilities global object (Nick Duffy)

• Update translation files - round#​2 (Candy)

• Update deps to loopback 3.0.0 RC (Miroslav Bajtoš)

• Remove conflict (jannyHou)

• fix maxDistance not supported in geo filter. (Vincent Wen)

• Use juggler@3 for running the tests (Miroslav Bajtoš)

• Remove !intl (jannyHou)

• Refactor (jannyHou)

• Globalization (jannyHou)

• Support patches afterwards (jannyHou)

• Use the latest compatible mongodb (jannyHou)

• Update URLs in CONTRIBUTING.md (#​264) (Ryan Graham)

v1.15.2

Compare Source

==========================

• Update "mongodb" dependency to caret notation (Bram Borggreve)

v1.15.1

Compare Source

==========================

• insert/update copyrights (Ryan Graham)

• relicense as MIT only (Ryan Graham)

v1.15.0

Compare Source

==========================

• Lazy connect when booting app (juehou)

• Add support for geoNear queries (Timo Saikkonen)

• Fix linting errors (Amir Jafarian)

• Auto-update by eslint --fix (Amir Jafarian)

• Add eslint infrastructure (Amir Jafarian)

• Implementation for replace (Amir Jafarian)

• Upgrade should to 8.0.2 (Simon Ho)

• Check dataSource.connecting to prevent race conditions (Fabien Franzen)

• Remove email from AUTHORS (Simon Ho)

• Update description in README.md (Simon Ho)

• Clean up package.json (Simon Ho)

• Update AUTHORS (Simon Ho)

• Add AUTHORS file (Simon Ho)

• Use ObjectId as internal storage for id (Raymond Feng)

• test: fix order of semver arguments (Ryan Graham)

• use mocha for test script (Ryan Graham)

• Add more tests for id coercion (Raymond Feng)

v1.14.0

Compare Source

v1.13.3

Compare Source

v1.13.2

Compare Source

==========================

• Make sure null/undefined id is not coerced (Raymond Feng)

• Allow runtime configurable test environment (Simon Ho)

• changed env variable fortest servers (cgole)

v1.13.1

Compare Source

==========================

• Fix the test set up (Raymond Feng)

• Added mongo port env var (cgole)

• Add env variable for mongodb server (cgole)

• Refer to licenses with a link (Sam Roberts)

• Fix repository field in package.json (Simon Ho)

• Use strongloop conventions for licensing (Sam Roberts)

• Enhance coercion of ids with inq/nin operators (Raymond Feng)

• Return deleted count (Raymond Feng)

v1.13.0

Compare Source

==========================

• Added a setting to enable optimsied findOrCreate method so that connector continues to work with mongodb < 2.6 (Mike Bissett)

• Fixed up merge conflicted dependencies in package.json (Mike Bissett)

• Update deps (Raymond Feng)

• implement optimized findOrCreate (Clark Wang)

• extract sort document building to method (Clark Wang)

v1.12.0

Compare Source

==========================

• Add regexp operator support (Simon Ho)

• Enable options.allowExtendedOperators (Fabien Franzen)

• Enable Model.settings.mongodb.allowExtendedOperators (Fabien Franzen)

• Update benchmarks (Simon Ho)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[pull-assistant]

Best reviewed: commit by commit

---

Optimal code review plan

     Update dependency loopback-connector-mongodb to v5 [SECURITY]

Powered by Pull Assistant. Last update 2a099ef ... 2a099ef. Read the comment docs.