Skip to content

Leaking private/protected data #252

Closed
@smirea

Description

@smirea

say you have an User model:

const User = mongoose.model('User', new mongoose.Schema({
    name: String,
    password: String,
}));

normally you want to never expose the password, under any circumstances, so you'd normally do:

restify.serve(router, User, {
    private: ['password'],
})

Now this works with hitting any endpoint:
GET /User does not show the fields
GET /User/some-id also does not show the password

HOWEVER:

GET /User?distinct=password shows ALL passwords for ALL users in the database ...

This is a huge security concern

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions