An attacker can use a malicious payload instead of a valid collection name to inject arbitrary commands. I suggest one of the following options: refactoring out eval, use adhoc regex validation or use a heavyweight sanitization package like https://www.npmjs.com/package/eval-sanitizer
The text was updated successfully, but these errors were encountered:
Hey Cristian, thanks for the report, and self-promotion tip. Will get on this soon. In the meantime, PouchDB is not the recommended driver for production.
The following use of eval in lib/drivers/search/pouch.js is dangerous:
An attacker can use a malicious payload instead of a valid collection name to inject arbitrary commands. I suggest one of the following options: refactoring out eval, use adhoc regex validation or use a heavyweight sanitization package like
https://www.npmjs.com/package/eval-sanitizer
The text was updated successfully, but these errors were encountered: