Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adapter commons whitelist skips filter items? #1971

Open
jnardone opened this issue May 28, 2020 · 6 comments
Open

adapter commons whitelist skips filter items? #1971

jnardone opened this issue May 28, 2020 · 6 comments
Labels

Comments

@jnardone
Copy link
Contributor

@jnardone jnardone commented May 28, 2020

Steps to reproduce

First, not sure where adapter-commons is in 4.5.3.

We have a query in the client (using the Feathers client):

    const item = await myService.get(this.id, {
      query: {
        $populate: ['user']
      }
    });

What's notable is myService does NOT whitelist $populate. I've confirmed at no point is it there.

I'm confused by this code in cleanQuery:

_.each(query, (value, key) => {
  if (key[0] === '$') {
    if (filters[key] !== undefined) {
      return;
    }

    if (!operators.includes(key)) {
      throw new BadRequest(`Invalid query parameter ${key}`, query);
    }
  }

The code thinks my $populate is part of the filters, so it sees that we have a filter with this operator and lets it through! What's the point of the operator check if things like $populate are not considered?

What does it mean for an operator to be part of the query vs the filter? I had trouble finding docs that explained it and this behavior.

This definitely worked at some point (where it would error out in this scenario).

Expected behavior

I would expect $populate to error in this case because I have not whitelisted it.

Actual behavior

The query succeeds and does the $populate

System configuration

Module versions (especially the part that's not working):
feathers-mongoose 8.3.0
adapter-commons 4.4.3 (because feathers-mongoose 8.3.0 specifies ^4.4.1)
feathersjs 4.5.3

NodeJS version:
12.16.3

@jnardone
Copy link
Contributor Author

@jnardone jnardone commented May 29, 2020

If so then what's the point of the whitelist? We want to disallow $populate from the client except where we explicitly allow it in feathers-mongoose, but not clear when that regressed (it used to work as expected...)

@J3m5
Copy link

@J3m5 J3m5 commented May 29, 2020

It seems to lead to that change.

@daffl
Copy link
Member

@daffl daffl commented May 29, 2020

$populate is officially supported by the feathers-mongoose adapter (documented at https://github.com/feathersjs-ecosystem/feathers-mongoose#populate). If you want to disable it you can pass your own filters in the service options at src/services/<name>/<name>.service.js:

  const options = {
    Model,
    paginate,
    filters: {}
  };
@jnardone
Copy link
Contributor Author

@jnardone jnardone commented May 29, 2020

That page explicitly says

Important: $populate has to be whitelisted explicitly since it can expose protected fields in sub-documents (like the user password) which have to be removed manually.

The service being called DOES NOT WHITELIST $populate yet it is allowed. This feels like a bug - shouldn't the whitelist check happen before the filter check?

@daffl
Copy link
Member

@daffl daffl commented Jun 1, 2020

That is correct and indeed does not seem to be the case at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.