Steps to reproduce
Description + example -> here
From moongose 6+ (which is required by feathers-mongoose 8+) query behaves different and it may lead to serious security issues. When there is value in query that is not present in model it returns everything.
const feathers = require('@feathersjs/feathers');
const {Service} = require('feathers-mongoose');
const mongoose = require('mongoose');
const app = feathers();
mongoose.connect('mongodb://localhost:27017/feathers-test');
class MessageService extends Service {
constructor(options) {
super(options);
}
}
app.use('messages', new MessageService({
Model: mongoose.model('msgs',new mongoose.Schema({
id: Number,
text: String
})),
multi:true // allow to delete multiple msgs
}));
const run = async ()=>{
await app.service('messages').remove(null);
await app.service('messages').create({id:1, text: 'Hello'});
await app.service('messages').create({id:2, text: 'World'});
await app.service('messages').create({id:3, text: 'Hello'});
const good_messages = await app.service('messages').find({query:{text:'Hello'}});
const bad_messeges = await app.service('messages').find({query:{iamundefined:'World'}});
console.log('good msgs', good_messages);
console.log('bad msgs', bad_messeges);
};
run();
for mongoose 5.13.14 output is:
for mongoose 6.2.6:
...
bad msgs [
{
_id: new ObjectId("6231331f31b50960eff2255f"),
id: 1,
text: 'Hello',
__v: 0
},
{
_id: new ObjectId("6231331f31b50960eff22561"),
id: 2,
text: 'World',
__v: 0
},
{
_id: new ObjectId("6231331f31b50960eff22563"),
id: 3,
text: 'Hello',
__v: 0
}
]
Steps to reproduce
Description + example -> here
From moongose 6+ (which is required by feathers-mongoose 8+) query behaves different and it may lead to serious security issues. When there is value in query that is not present in model it returns everything.
for mongoose 5.13.14 output is:
for mongoose 6.2.6: