ejdb
ejdb copied to clipboard
MongoDB Syntax
Thanks for all the work on this project. I've only just discovered it and I think it's fantastic. The speed and simplicity of getting started (in node at least) was out of this world.
I see in version 1 you used to use a mongodb style syntax. From reading your medium article, it appears you moved away from this to xpath due to mongos "bulky" syntax.
I think I understand why, and actually think I prefer the xpath syntax in many ways.
However, I'm struggling to find a safe way of structuring safe user input, from a restul api for example.
I ended up created a library: https://github.com/markwylde/mql-to-jql
It converts mongo's query language to jql. It's not got everything just yet. But in that project I can do:
const customUserParameters = { category: 'anything-from-user' };
const query = convert({
$and: [
{ userId: 'uuid-uuid-uuid-uuid' },
{ ...customUserParameters },
]
});
This will convert it to:
/* query === {
mql: '(/[[* = :?] = :?] and (/[[* = :?] = :?]))',
values: ['userId', 'uuid-uuid-uuid-uuid', 'customUserParameters', 'anything-from-user']
}
*/
I think I'm trapped in my old mongo way of thinking, but I'm not sure of another (and safe) way of allow user inputs. I'm scared of compiling a jql syntax mixing auth and custom filtering.
Do you have a solution, library or other method of compiling the same sort of query as above, in jql?
Hi Mark! I understand the problem, let me think about it)
Hi Mark! I may introduce some syntax sugar special for this case, something like this:
/some/path/[somekey includes :?]
Some JSON value pointed by /some/path/somekey
is an object and includes :?
argument as its structural subset. Ordering
of keys is irrelevant.
Interesting Adam. So in that case the content of :?
could not be "escaped". Therefore, any criteria outside would be forced.
In the end, would it be safe for my web app to allow the following "untrusted" query from a browser?
https://mywebsite.com/notes?filter="/notes/[category=demo]"
In the end, would it be safe for my web app to allow the following "untrusted" query from a browser?
https://mywebsite.com/notes?filter="/notes/[category=demo]"
It will not be safe since you can always add | del
or | apply
to end of filter =) Read-only queries may help here but not yet implemented.
Although the structure a query language is very limited so you may strip it by regexpes, not perfect but will work.
Hi Mark! I may introduce some syntax sugar special for this case, something like this:
/some/path/[somekey includes :?]
Some JSON value pointed by
/some/path/somekey
is an object and includes:?
argument as its structural subset. Ordering of keys is irrelevant.
Definitely will do what but cannot define exact time frame since quite busy on my main work.