-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: sanitize query by default #452
Conversation
if (!filter || typeof filter !== 'object') return filter; | ||
|
||
for (const key in filter) { | ||
if (key === '$where' || key === 'mapReduce') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$mapReduce
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the docs it's mapReduce
.
https://docs.mongodb.com/manual/core/server-side-javascript/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the special keys be nested in the filter deeper than the 1st level?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope. As pointed out by the test case below that @shimks commented on, Mongo only executes these at the top most level and not at the property level.
test/mongodb.test.js
Outdated
Post.create({title: 'Post1', content: 'Post1 content'}, (err, p1) => { | ||
Post.create({title: 'Post2', content: 'Post2 content'}, (err2, p2) => { | ||
Post.create({title: 'Post3', content: 'Post3 data'}, (err3, p3) => { | ||
Post.find({where: {conent: {where: 'function() {return this.content.contains("content")}'}}}, (err, p) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conent -> content
where -> $where
Post.create({title: 'Post3', content: 'Post3 data'}, (err3, p3) => { | ||
Post.find({where: {content: {$where: 'function() {return this.content.contains("content")}'}}}, (err, p) => { | ||
should.not.exist(err); | ||
p.length.should.be.equal(0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me know if I'm understanding this correctly: $where clause here is not executed, meaning the where filter effectively looks like this: {where: {content: ''}}
, so p
in this case is just an empty array.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well ... it tried to match content
to the object {$where: '...'}
There are more similar cases, such as: {"where":{"$and":[{"$where":"function(){sleep(1000); return this.username.contains('test');}"}]}} |
Description
This PR adds a sanitization step to the
buildWhere
andbuildSort
function using the newsanitizeFilter
function.This function accepts an option in an options object
disableSanitization
- which can be any truthy value to disable sanitization (filter passed in is returned as-is)As per https://docs.mongodb.com/manual/core/server-side-javascript/ only
$where
andmapReduce
properties can execute JavaScript on the Mongo Driver sosanitizeFilter
removes those properties if present at the top level of the query object.Related issues
fixes #403
Checklist
guide