New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: Safe to expose Smart Query? #1085
Comments
Nope, you should not let API users to be able to form the query, only values should be used. You could end up with attacker using some operator or negation, disabling some checks, using For internal endpoints it's fine I guess, as long as you know the caller can be trusted (like if it's some script, another microservice of your own). |
const res = await orm.em.find(Author, { $and: [
{ 'id:in': [1, 2, 7] },
...customFilter // Only add additional and filters
] }); But how could an attacker disable some checks with an approach like this? It could only add some checks. At least this is how I understand it. Or does this smart query builder combine this and remove duplicates? This would lead to behaviour like you described. I was a bit more concerned about SQL Injections. |
Yeah that approach should be safe, I was talking about using the query as value, so you would have Anyway, the approach with operator in key is deprecated and will be removed in v5, mainly because it can be dangerous when used without proper input validation. |
This comment has been minimized.
This comment has been minimized.
Ok, so it is safe from SQL Injections and it doesn't collapse the whole query and removes duplicated things? This would be fine for me. |
Btw you don't even need
No, I said operator in key approach, so |
Not sure what you mean by duplicates and collapsing, do you have an example? |
Yeah, I just copied this from the docs. I also like the approach with the $ operators more. |
I meant something like this: const res = await orm.em.find(Author, { $and: [
{ id: { $in: [1, 2, 7] }, }, // "duplicated"
{ id: { $nin: [1, 2, 7] }, }
] });
// gets resolved to
const res = await orm.em.find(Author, { $and: [
{ id: { $nin: [1, 2, 7] }, }
] }); But if this is not like in my example then I am fine. |
Yeah that is safe, nothing will be removed from the const res = await orm.em.find(Author, {
id: { $in: [1, 2, 7] },
...query, // query is `{ id: { $ne: 0 } }`
] }); Here it would overried the |
Yeah, that's true. Thanks for the clarification. |
Hello,
I started to use Mikro-orm and I really like it. I saw Mikro-orm supports a kind of query language which works with plain JSON objects: https://mikro-orm.io/docs/query-conditions
I asked my self, is it safe to expose this smart query? For example, allow to pass it via a JSON body from an HTTP request? Or is it to easy to inject SQL with this? I mean for my current application I will do it anyway because it is just a small side project and not public for the internet. However, this would be cool to know for future projects.
Greetings, Nils
The text was updated successfully, but these errors were encountered: