Open mtrezza opened 2 years ago
parse-github-assistant[bot]
commented
2 years ago 
dblythy
commented
1 year ago What do you think of adding a parameter such as ({raw: true}) to the aggregate? We could also make sure the existing aggregate fails safely.
mtrezza
commented
1 year ago What do you think of adding a parameter such as
({raw: true})to the aggregate?
Yes, a query based option could make it easier for a developer to migrate. If they have many aggregate queries in their code, they could migrate one-by-one.
We could also make sure the existing aggregate fails safely.
Also agreed, the query should fail without crashing the server in the example above. But it should not fail gracefully and return empty results for example. The developer needs to be aware that there's an issue.
dblythy
commented
1 year ago I'm trying to write an aggregate that makes the server crash, and I haven't been able to get it going. You might have more experience with aggregate.
it('can aggregate with raw', async () => {
const pointer = new PointerObject();
const obj = new TestObject({ fakepointer: pointer, name: 'hello' });
await obj.save();
const pipeline = [
{ match: { objectId: obj.id } },
{ project: { name: 1 } },
{
addFields : { fakepointer : {'_id': 1} }
}
];
const query = new Parse.Query(TestObject);
const results = await query.aggregate(pipeline);
console.log(results[0]); // { name: 'hello', fakepointer: { _id: 1 }, objectId: '9P7ktS91Xg' }
});Could you open a PR that would help me to play around to make it fail (even if the test passes for you).
dblythy
commented
1 year ago Sure, see #8172
New Issue Checklist
Issue Description
The results of a MongoDB aggregation query are modified in an opaque way on the server side as they are parsed like normal query results.
Why this is bad:
mongoshMongoDB Compass or any other toolWhat is changed in results:
_p_and their value is converted to Parse Object which can easily crash the server._idis converted toobjectId.An easy fix to prevent the crash could be to change the following line and add a condition that the value must be a string in parse pointer syntax
<string>$<string>, otherwise ignore that it looks like a pointer: https://github.com/parse-community/parse-server/blob/16b1b2a19714535ca805f2dbb3b561d8f6a519a7/src/Adapters/Storage/Mongo/MongoTransform.js#L1190 However, that would still modify the aggregation results which should be avoided.Steps to reproduce
fakepointer.Server looks up schema and finds that
fakepointershould be a pointer, so it tries to convert it to a pointer and expects the value to be of type string<ClassName>$<ObjectId>but its of type object so server crashes at:https://github.com/parse-community/parse-server/blob/16b1b2a19714535ca805f2dbb3b561d8f6a519a7/src/Adapters/Storage/Mongo/MongoTransform.js#L1071
Parse Server does not allow to store data like this, because a class field of type pointer is managed by Parse Server and its value cannot be manually set. But an aggregation query can return any valid JSON object.
Actual Outcome
Results are modified.
Expected Outcome
Server should not modify the results in any way.
Suggestion Solution
To easier manage this breaking change, introduce a new Parse Server MongoDB adapter option like
rawAggregation, which means the aggregation pipeline won't be modified before sending it to the DB (e.g. Parse Server server does not allow the dollar sign before the aggregation stage name but native MongoDB syntax requires it) and the query results won't be modified after receiving them from the DB. Make the option default tofalseand add a deprecation warning to make it default totruein the future probably remove the option in the future completely.Environment
Server
5.1.1Logs
n/a