You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Query cursor is a really powerful tool to implement pagination of a large dataset. A possible use case of this feature in API is to return the next page cursor value with response data.
But with the current implementation, it is not safe to do this, because the cursor string is passed to eval() method which is a security flaw.
Consider using json or pickle module to encode/decode filter options for queryset, that are stored in the cursor.
Another issue may be with the hacky user, that will change filter/limit/order values inside cursor, that will expose the whole collection data
The text was updated successfully, but these errors were encountered:
For second part of your question you can encode and decode cursor on your end and then send to other users to avoid hacking in cursor. Any pull request for this will be acceptable
Query cursor is a really powerful tool to implement pagination of a large dataset. A possible use case of this feature in API is to return the next page cursor value with response data.
But with the current implementation, it is not safe to do this, because the cursor string is passed to
eval()method which is a security flaw.Consider using
jsonorpicklemodule to encode/decode filter options for queryset, that are stored in the cursor.Another issue may be with the hacky user, that will change filter/limit/order values inside cursor, that will expose the whole collection data
The text was updated successfully, but these errors were encountered: