dependabot-preview[bot]
commented
5 years ago We've just been alerted that this update fixes a security vulnerability:
Sourced from The npm Advisory Database.
NoSQL Injection Versions of
loopback-connector-mongodbbefore 3.6.0 are vulnerable to NoSQL injection.MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous
$whereproperty to be passed to the MongoDB Driver. The Driver allows the special$whereproperty in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions here).A proof of concept malicious query:
GET /POST filter={"where": {"$where": "function(){sleep(5000); return this.title.contains('Hello');}"}}... (truncated)
Patched versions: [">=3.6.0"] Affected versions: ["<=3.5.0"]
Bumps loopback-connector-mongodb from 3.5.0 to 3.6.0.
Changelog
*Sourced from [loopback-connector-mongodb's changelog](https://github.com/strongloop/loopback-connector-mongodb/blob/master/CHANGES.md).* > 2018-08-15, Version 3.6.0 > ========================= > > * docs: update with security consideration section (virkt25) > > * fix: sanitize query by default (virkt25) > > * change `count` to `countDocuments` (Rahmat Nugraha) > > * add `useNewUrlParser` on validOptionNames (Rahmat Nugraha) > > * Dedicated Model for testing disableDefaultSort (HugoPoi) > > * Add disableDefaultSort in README (HugoPoi) > > * Add settings disableDefaultSort for find method (HugoPoi)Commits
- [`bdad30a`](https://github.com/strongloop/loopback-connector-mongodb/commit/bdad30a53b93fc50b4b0ba00b094abf19b9a4668) 3.6.0 - [`0f46f71`](https://github.com/strongloop/loopback-connector-mongodb/commit/0f46f7140c324e65f9d3ecc339b296b2469d84a6) Merge pull request [#454](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/454) from strongloop/docs - [`a2985e0`](https://github.com/strongloop/loopback-connector-mongodb/commit/a2985e002781152c81921fbe48eb7b23fe97cc57) docs: update with security consideration section - [`4df3c63`](https://github.com/strongloop/loopback-connector-mongodb/commit/4df3c63d0c4a0cb8d68339be7b06020cc69c1ddb) Merge pull request [#452](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/452) from strongloop/sanitize - [`ee24cd0`](https://github.com/strongloop/loopback-connector-mongodb/commit/ee24cd08b8ccc32711264831c71b1da628df357b) fix: sanitize query by default - [`99bca4b`](https://github.com/strongloop/loopback-connector-mongodb/commit/99bca4bd2cd465eb48eabb60bde6d6b1af47a475) Merge pull request [#450](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/450) from gendigbadig/master - [`2d2999e`](https://github.com/strongloop/loopback-connector-mongodb/commit/2d2999e37710b47b131b7632f88e75537e4698d4) Merge pull request [#437](https://github-redirect.dependabot.com/strongloop/loopback-connector-mongodb/issues/437) from HugoPoi/feature/settings-disable-default-sort - [`21618d8`](https://github.com/strongloop/loopback-connector-mongodb/commit/21618d8f9b4c110d425a1e511d7a22ab7443dc33) change `count` to `countDocuments` - [`dbccb86`](https://github.com/strongloop/loopback-connector-mongodb/commit/dbccb86bd2fbe0a92c29698685ef423288498eb5) add `useNewUrlParser` on validOptionNames - [`94e47e3`](https://github.com/strongloop/loopback-connector-mongodb/commit/94e47e35df877eba5d6a5ca7224c784ee14bb3e3) Dedicated Model for testing disableDefaultSort - Additional commits viewable in [compare view](https://github.com/strongloop/loopback-connector-mongodb/compare/v3.5.0...v3.6.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.