Query returns all data if there is a key that is not present in model · Issue #430 · feathersjs-ecosystem/feathers-mongoose · GitHub
Skip to content

Query returns all data if there is a key that is not present in model #430

Description

@xbubus

Steps to reproduce

Description + example -> here

From moongose 6+ (which is required by feathers-mongoose 8+) query behaves different and it may lead to serious security issues. When there is value in query that is not present in model it returns everything.

const feathers = require('@feathersjs/feathers');
const {Service} = require('feathers-mongoose');
const mongoose = require('mongoose');
const app = feathers();
mongoose.connect('mongodb://localhost:27017/feathers-test');
class MessageService extends Service {
    constructor(options) {
        super(options);
    }
}
app.use('messages', new MessageService({
    Model: mongoose.model('msgs',new mongoose.Schema({
        id: Number,
        text: String
    })),
    multi:true // allow to delete multiple msgs
}));

const run = async ()=>{
await app.service('messages').remove(null);
await app.service('messages').create({id:1, text: 'Hello'});
await app.service('messages').create({id:2, text: 'World'});
await app.service('messages').create({id:3, text: 'Hello'});
const good_messages = await app.service('messages').find({query:{text:'Hello'}});
const bad_messeges = await app.service('messages').find({query:{iamundefined:'World'}});
console.log('good msgs', good_messages);
console.log('bad msgs', bad_messeges);
};
run();

for mongoose 5.13.14 output is:

...
bad msgs []

for mongoose 6.2.6:

...
bad msgs [
  {
    _id: new ObjectId("6231331f31b50960eff2255f"),
    id: 1,
    text: 'Hello',
    __v: 0
  },
  {
    _id: new ObjectId("6231331f31b50960eff22561"),
    id: 2,
    text: 'World',
    __v: 0
  },
  {
    _id: new ObjectId("6231331f31b50960eff22563"),
    id: 3,
    text: 'Hello',
    __v: 0
  }
]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions