ejdb icon indicating copy to clipboard operation
ejdb copied to clipboard

Published 20 hours ago verified publisher icon Softmotions

MongoDB Syntax

Open markwylde opened this issue 3 years ago • 6 comments

Thanks for all the work on this project. I've only just discovered it and I think it's fantastic. The speed and simplicity of getting started (in node at least) was out of this world.

I see in version 1 you used to use a mongodb style syntax. From reading your medium article, it appears you moved away from this to xpath due to mongos "bulky" syntax.

I think I understand why, and actually think I prefer the xpath syntax in many ways.

However, I'm struggling to find a safe way of structuring safe user input, from a restul api for example.

I ended up created a library: https://github.com/markwylde/mql-to-jql

It converts mongo's query language to jql. It's not got everything just yet. But in that project I can do:

const customUserParameters = { category: 'anything-from-user' };

const query = convert({
  $and: [
    { userId: 'uuid-uuid-uuid-uuid' },
    { ...customUserParameters },
  ]
});

This will convert it to:

/* query === {
  mql: '(/[[* = :?] = :?] and (/[[* = :?] = :?]))',
  values: ['userId', 'uuid-uuid-uuid-uuid', 'customUserParameters', 'anything-from-user']
}
*/

I think I'm trapped in my old mongo way of thinking, but I'm not sure of another (and safe) way of allow user inputs. I'm scared of compiling a jql syntax mixing auth and custom filtering.

Do you have a solution, library or other method of compiling the same sort of query as above, in jql?

markwylde avatar Nov 07 '20 10:11 markwylde

Hi Mark! I understand the problem, let me think about it)

adamansky avatar Nov 09 '20 04:11 adamansky

Hi Mark! I may introduce some syntax sugar special for this case, something like this:

/some/path/[somekey includes :?]

Some JSON value pointed by /some/path/somekey is an object and includes :? argument as its structural subset. Ordering of keys is irrelevant.

adamansky avatar Nov 16 '20 13:11 adamansky

Interesting Adam. So in that case the content of :? could not be "escaped". Therefore, any criteria outside would be forced.

In the end, would it be safe for my web app to allow the following "untrusted" query from a browser?

https://mywebsite.com/notes?filter="/notes/[category=demo]"

markwylde avatar Nov 16 '20 13:11 markwylde

In the end, would it be safe for my web app to allow the following "untrusted" query from a browser? https://mywebsite.com/notes?filter="/notes/[category=demo]"

It will not be safe since you can always add | del or | apply to end of filter =) Read-only queries may help here but not yet implemented.

adamansky avatar Nov 16 '20 13:11 adamansky

Although the structure a query language is very limited so you may strip it by regexpes, not perfect but will work.

adamansky avatar Nov 16 '20 14:11 adamansky

Hi Mark! I may introduce some syntax sugar special for this case, something like this:

/some/path/[somekey includes :?]

Some JSON value pointed by /some/path/somekey is an object and includes :? argument as its structural subset. Ordering of keys is irrelevant.

Definitely will do what but cannot define exact time frame since quite busy on my main work.

adamansky avatar Nov 20 '20 15:11 adamansky