dmfay
commented
7 years ago If you're accepting textual input directly into the order option as a string, that's an acknowledged vulnerability (also if you can upgrade definitely do so! If you pass order objects they are escaped and you can use normal JSON syntax). I've put off doing anything about it for a while now because there have been other features I've wanted more immediately and the applications I have using Massive don't allow direct input into order by design. I am open to suggestions and pull requests though!
vitaly-t
We are using massive-js library for document searching using finddoc function.
Can you please tell me how do I prevent the sql injection while passing 'Query options'?
From massive-js link, we can find out https://massive-js.readthedocs.io/en/v2/simple_queries/
"order adds the value to the emitted query as an ORDER BY clause. Massive doesn't do any parsing or processing, so everything has to be exactly as you'd paste it into psql yourself."
and the code snippet from the above link
....products.find({ in_stock: true }, { order: [ {field: "price", direction: "desc"}, {field: "specs->>'height'", direction: "asc", type: "int"} ] }, function (err, products) {...});
My question is How do we escape the value of 'field' and 'direction' from above?
I don't mind doing it explicitly before handing over to massive-js.