Blacklist not working in JSON filter parameter

leodinas-hao / mongoose-query-parser

Convert url query string to MongooseJs friendly query object including advanced filtering, sorting, population, string template, type casting and many more...

MIT License

68 stars 17 forks source link

Blacklist not working in JSON filter parameter #16

Closed aogzpa closed 3 years ago

aogzpa commented 3 years ago

Good afternoon @leodinas-hao,

I've been using mongoose-query-parser in a project and I've detected that advanced filters passed in the corresponding JSON filter query parameter don't go through the blacklist excluding filter. As a result, you end up having blacklisted keys in the resulting query.

I think it would be a great feature, because several security issues arise when this is overlooked.

Thank you and keep up the good work!

leodinas-hao commented 3 years ago

Hi @aogzpa, Thank you very much for your PR and it's merged into v1.2.1.

Appreciate your help & support!