docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon feathersjs

[Security] Add security suggestions of $populate mongoose operator

Open matiaslopezd opened this issue 3 years ago • 0 comments

If a dev adds $populate operator on the whitelist of service, will be vulnerable to NoSQL injection. So will be extremely important to add a security suggestion to the docs on how to handle this.

Mongoose reference documentation.

Example NoSQL $populate injection

// As object
{
   "$populate[0]": {
       "path": "users",
       "select": "email password"
    }
}

// Full query string parameters
api.example.com/posts?%24populate%5B0%5D%5Bpath%5D=users&%24populate%5B0%5D%5Bselect%5D=email%20password

Solution

Patch the $populate operator allowing only as string.

// Before needs to verify if the query request contains $populate operator
const isNoSQLInjection = context.params.query.$populate.some(populate => typeof populate !== 'string');
if (isNoSQLInjection) throw new Forbidden('$populate operator as object is not allowed.');

matiaslopezd avatar Sep 10 '21 01:09 matiaslopezd