ChickenKyiv / recipe-search-api

https://loopback-recipe-search.herokuapp.com/explorer/#!/Recipe/Recipe_find
GNU Affero General Public License v3.0
2 stars 5 forks source link

[Security] Bump loopback-connector-mongodb from 3.5.0 to 3.9.2 #100

Open dependabot-preview[bot] opened 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps loopback-connector-mongodb from 3.5.0 to 3.9.2. This update includes security fixes.

Vulnerabilities fixed *Sourced from [The npm Advisory Database](https://npmjs.com/advisories/696).* > **NoSQL Injection** > Versions of `loopback-connector-mongodb` before 3.6.0 are vulnerable to NoSQL injection. > > MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous `$where` property to be passed to the MongoDB Driver. The Driver allows the special `$where` property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an [intended feature of MongoDB](https://docs.mongodb.com/manual/core/server-side-javascript/) unless disabled ([instructions here](https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-js)). > > A proof of concept malicious query: > > ``` > GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}} > ``` > > The above makes the database sleep for 5 seconds and then returns all “Posts” with the title containing the word `Hello`. > > Affected versions: <=3.5.0
Changelog *Sourced from [loopback-connector-mongodb's changelog](https://github.com/strongloop/loopback-connector-mongodb/blob/v3.9.2/CHANGES.md).* > 2018-11-08, Version 3.9.2 > ========================= > > * support decimal128 type for nested properties ([#483](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/483)) (Janny) > > > 2018-10-24, Version 3.9.1 > ========================= > > * remove the infinite inspect ([#480](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/480)) ([#482](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/482)) (Janny) > > > 2018-10-23, Version 3.9.0 > ========================= > > * support decimal128 ([#475](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/475)) (Janny) > > * Added `"authSource"` in doc connection properties (Rémi AUGUSTE) > > * Convert embedded binary properties to buffer (ntsekouras) > > * Convert projection fields option to object (Dimitris) > > > 2018-09-19, Version 3.8.0 > ========================= > > * fix performance issues on count [#464](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/464) (Clément) > > * feat: allow methods to pass strictObjectIDCoercion (virkt25) > > > 2018-09-14, Version 3.7.1 > ========================= > > * fix: map new names to old for connector hooks (virkt25) > > > 2018-09-12, Version 3.7.0 > ========================= > > * update deprecated mongo driver commands (Hugo Da Roit) > > * Remove hard dependency of memwatch-next (Raymond Feng) > > * Add support for protocol to be 'monogodb+srv' (Raymond Feng) > > > 2018-08-15, Version 3.6.0 > ========================= > ... (truncated)
Commits - [`deef8d9`](https://github.com/strongloop/loopback-connector-mongodb/commit/deef8d96d6cebd27e881ab6ce1f332e84dae5082) 3.9.2 - [`5b7e5fd`](https://github.com/strongloop/loopback-connector-mongodb/commit/5b7e5fd3bac8448926e3e2f74ae318168aa8a335) support decimal128 type for nested properties ([#483](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/483)) - [`ed83f3f`](https://github.com/strongloop/loopback-connector-mongodb/commit/ed83f3ffa8347449277bd1e727d33d6af5be74ea) 3.9.1 - [`3eeedaf`](https://github.com/strongloop/loopback-connector-mongodb/commit/3eeedaf312bf757817e12519fd1b5708f2f22f13) remove the infinite inspect ([#480](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/480)) ([#482](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/482)) - [`1aea8db`](https://github.com/strongloop/loopback-connector-mongodb/commit/1aea8dbc6a0a92661f866db98947cdf268e9bc69) 3.9.0 - [`d6e69c2`](https://github.com/strongloop/loopback-connector-mongodb/commit/d6e69c2f2ec6e51655b7a6f5f7c2660285ef2b7d) support decimal128 ([#475](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/475)) - [`efbee59`](https://github.com/strongloop/loopback-connector-mongodb/commit/efbee59bfe8362822483d5e1a0867e90c1b00c4d) Merge pull request [#471](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/471) from ntsekouras/fix-issue470 - [`ab6b3aa`](https://github.com/strongloop/loopback-connector-mongodb/commit/ab6b3aab8fa11f707fe751fa7c000d2eec6eac10) Merge pull request [#469](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/469) from Weaverize/master - [`94245dc`](https://github.com/strongloop/loopback-connector-mongodb/commit/94245dc436575a82dd4132b3c1d7d752c3156a0d) Added `"authSource"` in doc connection properties - [`fbf58b3`](https://github.com/strongloop/loopback-connector-mongodb/commit/fbf58b3a331c331badf85060065c31a6f6073436) Convert embedded binary properties to buffer - Additional commits viewable in [compare view](https://github.com/strongloop/loopback-connector-mongodb/compare/v3.5.0...v3.9.2)
Maintainer changes This version was pushed to npm by [jannyhou2016](https://www.npmjs.com/~jannyhou2016), a new releaser for loopback-connector-mongodb since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.