These are chat archives for Automattic/mongoose

15th
Jan 2016
Chris
@drakoumel
Jan 15 2016 10:45
The current build of mongoose is failing anyone know more about it?
ahh its only for node.js 0.12
Apart from that today I am getting (on heroku host) -> Error: Cannot find module './operators/bitwise' at Object.<anonymous> (/app/node_modules/mongoose/lib/schema/index.js:8:18)
but i dont see that require in the source
Chris
@drakoumel
Jan 15 2016 17:05
I found the require and it seems correct, any idea as to why the heroku environment cannot find it?
Chris
@drakoumel
Jan 15 2016 18:05
I deployed the same app on cloud9, and the operators folder doesnt exist althought I installed it from npm
probably same issue on heroku
Valeri Karpov
@vkarpov15
Jan 15 2016 19:44
@/all 3.8.39 and 4.3.6 were just released to fix a DoS vulnerability with buffers Automattic/mongoose#3764 . If you use buffers, I recommend upgrading ASAP. If you have any questions, feel free to reach out to me directly via gitter, github, or email (val [at] karpov [dot] io)
Robby O'Connor
@robbyoconnor
Jan 15 2016 19:50
@vkarpov15 is 4.2.4 vulnerable to this?
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 19:53
It's not just a DoS.
It's DoS + memory exposure.
Robby O'Connor
@robbyoconnor
Jan 15 2016 19:53
Okay, but what versions are affected?
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 19:54
I did not check, but I estimate that all of them since long ago.
only if you use Buffer field type.
Robby O'Connor
@robbyoconnor
Jan 15 2016 19:54
I'm fairly confident we do not in the particular codebase I maintain
okay we're safe otherwise correct?
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 19:57
Yes.
Valeri Karpov
@vkarpov15
Jan 15 2016 19:58
@robbyoconnor this vulnerability was introduced in 3.5.5 here: Automattic/mongoose@79e740b
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 19:59
@vkarpov15 Could you add that info to the issue?
Valeri Karpov
@vkarpov15
Jan 15 2016 19:59
already done
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 19:59
Good.
Valeri Karpov
@vkarpov15
Jan 15 2016 20:00
@robbyoconnor you're not affected unless you use the buffer schema type, that is, if you have a schema that looks like new Schema({ buf: Buffer });
Robby O'Connor
@robbyoconnor
Jan 15 2016 20:01
I do not think we do :)
Diego Aguilar Aguilar
@diegoaguilar
Jan 15 2016 20:01
Hello, just a random question, would Mongo 3.2 introduce new stuff in Mongoose?
Robby O'Connor
@robbyoconnor
Jan 15 2016 20:04
{} types are safe correct?
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 20:05
Btw, generic proposal to fix this on the Node.js side — https://github.com/ChALkeR/notes/blob/master/Lets-fix-Buffer-API.md
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 20:20
@robbyoconnor I added PoC to the issue.
Robby O'Connor
@robbyoconnor
Jan 15 2016 20:20
PoC?
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 20:20
proof-of-concept code
that demonstares this
Valeri Karpov
@vkarpov15
Jan 15 2016 20:21
@robbyoconnor mixed types are fine, there's no casting for those
@diegoaguilar a couple of new things, there's aggregation helpers for $lookup and $sample now
nothing too major
Сковорода Никита Андреевич
@ChALkeR
Jan 15 2016 20:32
Robby O'Connor
@robbyoconnor
Jan 15 2016 20:34
@ChALkeR :+1:
Diego Aguilar Aguilar
@diegoaguilar
Jan 15 2016 22:21

@vkarpov15 I got curious about the internal process of Mongoose, my doubt is:

A mongoose connection may be setup and started, then, any model might be required and used with out setting up connection settings

is that possible because of the singleton pattern available at Node?