You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I understand this library strips or modifies keys of query params or body params, but what if it is not the entire key:value pair that is saved to mongo db but instead the value which is saved to the db instead?
If it was a key:value pair that gets saved to mongodb I understand this module would prevent such a key from entering the database. But instead of the entire key:value pair, what if the value is the only part saved to the db? This is a different matter and is not sanitized in this case.
Let's say you had a POST with key: value params as follow:
client_name : John_Doe
client_hobby: { "$passwd": { "$gt": "" } }
Now this might be an over simplified example but in this example, the value of hobby is never sanitized and is saved to the db.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi Fiznool,
I understand this library strips or modifies keys of query params or body params, but what if it is not the entire key:value pair that is saved to mongo db but instead the value which is saved to the db instead?
If it was a key:value pair that gets saved to mongodb I understand this module would prevent such a key from entering the database. But instead of the entire key:value pair, what if the value is the only part saved to the db? This is a different matter and is not sanitized in this case.
Let's say you had a POST with key: value params as follow:
client_name : John_Doe
client_hobby: { "$passwd": { "$gt": "" } }
Now this might be an over simplified example but in this example, the value of hobby is never sanitized and is saved to the db.
client.findByIdAndUpdate(id, { "name": req.body.name, "hobby": req.body.hobby: }, function (err) { ...});
Is there not a threat in this scenario that needs to be sanitized? If no regards needs to be given to $ and . in the value string please explain.
Here is another person with the same issue, but like me s/he thinks/thought it was not working as it's not working on values, just keys: https://stackoverflow.com/questions/68878047/can-you-tell-me-if-express-mongo-sanitize-is-working
Beta Was this translation helpful? Give feedback.
All reactions