-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leaking private/protected data #252
Comments
if anyone stumbles upon this in the meantime, I've fixed it for myself using a preMiddleware: (req, res, next) => {
if (!req.query.distinct) return next();
const schema = req.erm && req.erm.model && req.erm.model.schema;
const prop = schema && schema.path && schema.path(req.query.distinct);
if (!prop || !prop.options || prop.options.access != 'private') return next();
res.status(400);
res.json({error: `Invalid propert ${req.query.distinct}`})
} This requires that you define const User = mongoose.model('User', new mongoose.Schema({
name: String,
password: {type: String, access: 'private'},
})); but this has the nice benefit that it filters them out in the normal aforementioned cases while also disabling the |
Confirmed, thank you. I wrote some tests and have a fix, it just needs some extra polish. I should be able to get something out in the next couple of days. |
This will filter out distinct queries containing a private or protected field. As suggested, distinct fields are now verified before querying, thus saving a database call and fields that are filtered out return an empty array, as if the field did not exist. Closes #252
say you have an
User
model:normally you want to never expose the password, under any circumstances, so you'd normally do:
Now this works with hitting any endpoint:
GET /User
does not show the fieldsGET /User/some-id
also does not show the passwordHOWEVER:
GET /User?distinct=password
shows ALL passwords for ALL users in the database ...This is a huge security concern
The text was updated successfully, but these errors were encountered: