Confirm parameter parser does not allow for MongoDB injection

carbon-io / carbond

MIT License

2 stars 5 forks source link

Confirm parameter parser does not allow for MongoDB injection #183

Closed willshulman closed 7 years ago

willshulman commented 7 years ago

Right now the parser parses "{}" as a string if the defined schema of the parameter is a string.

Confirm we get typeof(x) === "string" for this case (and add unit test)
Confirm that when used with MongoDB driver or Leafnode we do not introduce an injection scenario (eg we get {x: "{$gt : 3}"} and not {x: { $gt: 3 }}.

-will

gregbanks commented 7 years ago

:selfie: 2aac3d27d664fb2f83be05080798d80cb03a4bf8

willshulman commented 7 years ago

I feel like this test could one day pass even if the typeof(req.parameters.bar) !== 'string', but want to look at test case more closely.

willshulman commented 7 years ago

For example if the HTTP client underlying this test for some reason returned a string (perhaps a bug in that client) then this test would pass even though the parameter parser let an object sneak through.

willshulman commented 7 years ago

Maybe an additional explicit typeof test?

gregbanks commented 7 years ago

those tests are here: https://github.com/carbon-io/carbond/blob/master/test/ParameterParsingTests.js#L193

willshulman commented 7 years ago

Ah. Ok closing ticket.