search

mblarsen / mongoose-hidden

A Mongoose schema plugin for filtering properties you usually do not want to sent client-side like passwords and IDs.
MIT License
89 stars 19 forks source link

Feat: Prevent hidden fields from being queried. #78

Closed SirTangent closed 4 years ago

SirTangent commented 4 years ago

I found a potential security vulnerability if you allow clients to pass query objects. The library allows for queries of documents that meet conditions for hidden fields, which can expose values to the client through brute force.

The easiest fix im using is to deconstruct the hidden fields from the query object beforehand.

let query = req.body.query;
let { hiddenFieldA, hiddenFieldB, ...protected_query } = query

However, im wondering if it would be useful for the library to have deconstruction built-in for mongoose queries; therefore, adding more security. Not sure if there is another addon for it.

mblarsen commented 4 years ago

Can you elaborate a bit about the "passing of query objects".

Do you mean that the user could set a field as { hidePassword: false } or what is the the scenario you are describing?

If so can you elaborate on the problem (by example) and your proposal (if you have one)?

Thanks for submitting the issue.

mblarsen commented 4 years ago

I'm not clearly seeing the purpose of this within the domain of this plug-in. It seems more a concern in your controllers.

With no further elaboration provided I'm closing the issue.