fix: sanitize query by default #452
Conversation
virkt25
requested review from
b-admike,
dhmlau,
jannyHou and
shimks
as code owners
| if (!filter || typeof filter !== 'object') return filter; | ||
|
|
||
| for (const key in filter) { | ||
| if (key === '$where' || key === 'mapReduce') { |
There was a problem hiding this comment.
According to the docs it's mapReduce.
https://docs.mongodb.com/manual/core/server-side-javascript/
There was a problem hiding this comment.
Can the special keys be nested in the filter deeper than the 1st level?
There was a problem hiding this comment.
Nope. As pointed out by the test case below that @shimks commented on, Mongo only executes these at the top most level and not at the property level.
test/mongodb.test.js
Outdated
| Post.create({title: 'Post1', content: 'Post1 content'}, (err, p1) => { | ||
| Post.create({title: 'Post2', content: 'Post2 content'}, (err2, p2) => { | ||
| Post.create({title: 'Post3', content: 'Post3 data'}, (err3, p3) => { | ||
| Post.find({where: {conent: {where: 'function() {return this.content.contains("content")}'}}}, (err, p) => { |
There was a problem hiding this comment.
conent -> content
where -> $where
| Post.create({title: 'Post3', content: 'Post3 data'}, (err3, p3) => { | ||
| Post.find({where: {content: {$where: 'function() {return this.content.contains("content")}'}}}, (err, p) => { | ||
| should.not.exist(err); | ||
| p.length.should.be.equal(0); |
There was a problem hiding this comment.
Let me know if I'm understanding this correctly: $where clause here is not executed, meaning the where filter effectively looks like this: {where: {content: ''}}, so p in this case is just an empty array.
There was a problem hiding this comment.
Well ... it tried to match content to the object {$where: '...'}
|
There are more similar cases, such as: {"where":{"$and":[{"$where":"function(){sleep(1000); return this.username.contains('test');}"}]}} |
Description
This PR adds a sanitization step to the
buildWhereandbuildSortfunction using the newsanitizeFilterfunction.This function accepts an option in an options object
disableSanitization- which can be any truthy value to disable sanitization (filter passed in is returned as-is)As per https://docs.mongodb.com/manual/core/server-side-javascript/ only
$whereandmapReduceproperties can execute JavaScript on the Mongo Driver sosanitizeFilterremoves those properties if present at the top level of the query object.Related issues
fixes #403
Checklist
guide