Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

NoSQL injections #896

Closed
mitar opened this Issue · 6 comments

5 participants

@mitar

It does not seem that Meteor prevents NoSQL injections? For example, in documentation this example is given:

Meteor.publish("messages", function (roomId) {
  return Messages.find({room: roomId});
});

Is there anything preventing adversary to call subscribe with roomId equal to:

{$ne: null}

effectively obtaining all Messages from all rooms?

@raix

I guess nothing prevents it - a bit hard to prevent.
I guess you could do something like:

Meteor.publish("messages", function (roomId) {
  return Messages.find({room: ''+roomId });
});

Maybe a typecasting tool for js?

@awatson1978

Shouldn't you be able to use Meteor.allow() and Meteor.deny() rules? All the examples just demonstrate insert, remove, and update; but it should support specifying rules for 'find' as well.

Messages.allow({
  find: function (roomId) {
      return !_.any(function(party){
        if(roomId == null){
          return false;
        }else{
          return true;
        }
      });
  },
  insert: function (){
      return true;    
  },
  remove: function (){
      return true;    
  },
  update: function() {
      return true;    
  }
});
@glasser
Owner

I'd say this is a feature, but we should make it easy to validate that things we want to be scalars are scalars, and our examples should show good practices.

@bbbmmmlll

If a collection needs to be restricted, then your publish function needs to be written to enforce the restrictions. You could add an additional selector (such as restricting results to this.userId somehow or check the user's current room and restrict results accordingly), test whatever the client sent (is it a valid roomId and/or number), etc...

I don't see this as a Meteor issue. It's a general client/server issue where the best practice is to never trust the client.

@mitar

@awatson1978: That would be duplication of logic.

@glasser
Owner

On devel now, we have a new check function to help you validate your arguments, as well as an audit-check-coverage optional package to help you make sure that you check all arguments in all your methods and publish functions. Thanks!

@glasser glasser closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.