Leaking private/protected data

[smirea]

say you have an User model:

const User = mongoose.model('User', new mongoose.Schema({
    name: String,
    password: String,
}));

normally you want to never expose the password, under any circumstances, so you'd normally do:

restify.serve(router, User, {
    private: ['password'],
})

Now this works with hitting any endpoint:
GET /User does not show the fields
GET /User/some-id also does not show the password

HOWEVER:

GET /User?distinct=password shows ALL passwords for ALL users in the database ...

This is a huge security concern

[smirea]

if anyone stumbles upon this in the meantime, I've fixed it for myself using a preMiddleware:

preMiddleware: (req, res, next) => {
    if (!req.query.distinct) return next();
    const schema = req.erm && req.erm.model && req.erm.model.schema;
    const prop = schema && schema.path && schema.path(req.query.distinct);
    if (!prop || !prop.options || prop.options.access != 'private') return next();
    res.status(400);
    res.json({error: `Invalid propert ${req.query.distinct}`})
}

This requires that you define access: 'private' in your mongoose schemas:

const User = mongoose.model('User', new mongoose.Schema({
    name: String,
    password: {type: String, access: 'private'},
}));

but this has the nice benefit that it filters them out in the normal aforementioned cases while also disabling the distinct query with the same syntax

[Zertz]

Confirmed, thank you. I wrote some tests and have a fix, it just needs some extra polish. I should be able to get something out in the next couple of days.