These are chat archives for Automattic/mongoose

12th
Jul 2018
Bart Cone
@bartcone
Jul 12 2018 02:38

I've read that if I define a schema as such:

const UserSchema = new Schema({ name: String });
const User = mongoose.model('User', UserSchema);

then untrusted input doesn't need to be sanitized?

User.findOne({ name: req.query.name })
I'm not seeing this..e.g. http://localhost:3000/users?name[$gt]= gives unexpected results
Jason Kleinberg
@Ustice
Jul 12 2018 02:41
@lineus Thanks very much for the answer. (I'm a coworker of BeardedGardner). That's a much better answer than going back to the MongoDB driver, which was the solution that I was going to default to.
Kev
@lineus
Jul 12 2018 09:05
@Ustice You're welcome! After a few minutes of trying to guess how to solve it, I called Test.collection.findOneAndUpdate()to bypass mongoose and use the native driver directly too :smile: and it worked just fine. Adding mongoose.set('debug', true) and seeing that mongoose was changing my $set to $setOnInsert is what drove me to dig into the source code.
Josh Gardner
@BeardedGardner_twitter
Jul 12 2018 13:17
Excellent, we assumed it was some sort of pre-hook executing, but couldn't figure out what exactly was up! Appreciate you digging into it!
Kev
@lineus
Jul 12 2018 13:21
@bartcone personally, I think you should always sanitize your inputs. There are mongodb queries that allow you to execute javascript on the mongodb server. You also might want to switch to a sql backend at some point. Better safe than sorry.
Bart Cone
@bartcone
Jul 12 2018 13:52
@lineus maybe I'm missing something, but this seems like a fundamental thing that would be solved? kinda like parameterized queries? do you have any blog posts or recommendations on sanitation modules? I've seen mongo-sanitize mentioned in a couple blog posts...
Maxim
@mxmzb
Jul 12 2018 16:38
i have extracted my models into another module, now when i require them they don't share the same connection object (i connect in module A and import models from module B).
do i need to write a creator function or something that i will pass my connection from module A to module B if i want to make this work?
Maxim
@mxmzb
Jul 12 2018 18:02
i have carefully worded my question and posted on SO if anyone here could have a look I'd appreciate: https://stackoverflow.com/questions/51311879/how-do-you-share-mongoose-connection-models-across-packages
Kev
@lineus
Jul 12 2018 18:04
@bartcone whatever string you pass into the query is what's going to get sent to the db. As long as you're not using one of the three operations listed in the link I shared ( most notably $where ), it's not going to be 'injection', just a small waste of resources on your mongodb server ( a pointless query most likely matching 0 docs ).
@mxmzb are you calling await inside of an async function? your example shows it called globally, which seems like it shouldn't work at all.
I'm assuming that your example just isn't complete, as you're calling mongoose.connect()in a file that doesn't appear to have mongoose declared anywhere.
Kev
@lineus
Jul 12 2018 18:13
if you want to know whether or not you are using 2 different mongoose instances, you can put a console.log(requre.resolve('mongoose')) in each separate file and see whether or not they are getting the same path to mongoose as they should.
Maxim
@mxmzb
Jul 12 2018 18:54
@lineus yeah, the code was kind of copy-pasted from my actual code and stripped down, but i think (or rather hope) the idea of what's going on is clear
Kev
@lineus
Jul 12 2018 18:55
does require.resolve('mongoose') show 2 different paths for mongoose or the same one?
Maxim
@mxmzb
Jul 12 2018 18:55
i just read your answer so i will try out rn but i am already pretty sure you are right
Maxim
@mxmzb
Jul 12 2018 19:01
it's different
:/
@lineus thank you! just gonna wrap my models in a function and pass over my mongoose then
Kev
@lineus
Jul 12 2018 19:03
@mxmzb you can just add the model to mongoose and export mongoose. it already stores it all anyway.
Maxim
@mxmzb
Jul 12 2018 19:04
i don't think i know what you mean
Kev
@lineus
Jul 12 2018 19:10
@mxmzb example gist
Maxim
@mxmzb
Jul 12 2018 19:19
@lineus oh i see, yeah that works too :)
Bart Cone
@bartcone
Jul 12 2018 23:51
@lineus eh..definitely is injection
take my example and pass http://localhost:3000/users?name[$ne]= will dump all records where name does not equal ''