Comments (6)
Hi,
Thank you for using this plugin.
Sorry for my late reply !
In your "fake" request you are requesting the fields name and created.
So if you want only name, either remove the mDataProp1=created or in the options.select try to use "-created"
Regards,
from mongoose-datatable.
Yes, sure)
Im trying to say that client can get any field from collection by posting fake request with mDataProp1=ANYFIELDNAME.
So EVERYONE can brutforce field names to get sensitive data
For example, mDataProp_1=phone, mDataProp_1=user, mDataProp_1=password, mDataProp_1=address, mDataProp_1=email etc....
I think plugin has to deny access to all fields exept fields that in option.select.
Security concept "deny all, than allow some" is good for any application I think)
try to use "-created"
I am lazy to hide every field in all collections except needed...
And "-created" is not working...
Model.dataTable(req.query, {
conditions: conditions,
select: '-created'
}, callback)
Error:
The top-level _id field is the only field currently supported for exclusion (Mongo 2.6.4)
If You want to prevent selecting sensitive fields - better approach is make smth like select: false in model. e.g
var schema = {
name: {
type: String,
unique: true,
required: true
},
created: {
type: Date,
default: Date.now,
select: false
}
...
But there are some other bugs in You plugin with the next example
var schema = {
name: {
type: String,
unique: true,
required: true,
select: false
},
created: {
type: Date,
default: Date.now,
select: false
}
I get absolutely all fields in response...
{
"sEcho": "1",
"iTotalRecords": 4,
"iTotalDisplayRecords": 4,
"aaData": [
{
"_id": "54212efec31fdbxxxx",
"name": "45",
"users": [],
"domains": [
"54240zxxxx"
],
"created": "2014-09-23T08:27:42.350Z",
"__v": 1,
}, ....
It is not safe out of the box.
Regards
from mongoose-datatable.
You are right, in previous documentation I mentionned this:
"If the field is marked as not selectable in the schema (select: false) or if the option dataTableSelect on the field exist and is set to false (dataTableSelect: false) then the field will not be selected even if it was requested by the dataTable client."
But I can't find it anymore, I'll have to update the current documentation.
In the meantime there are these following issues right:
- options.select = "-FIELD" does not prevent the selection of the field
- Mongoose schema field option "select: false" does not prevent the selection of the field
I'll check this as soon as possible and push a fix.
Thanks for your feedbacks
from mongoose-datatable.
Ok I have updated the documentation and tested the select: false and dataTableSelect: false.
It is working for me, I have updated the test.
Using options.select = "-FIELD" is not supported by mongodb yet so it is not the good way to do it.
Check in the test folder, maybe I missed something... Let me know
from mongoose-datatable.
Thank You!
I'll try to check tonight!)
from mongoose-datatable.
So, select: false and dataTableSelect: false works but there is security bug if all requested fields marked with select/dataTableSelect: false:
var mongoose = require('mongoose');
var DataTable = require('mongoose-datatable');
mongoose.plugin(DataTable.init);
var http = require('http');
var url = require('url');
var modelSchema = mongoose.Schema;
mongoose.connect('mongodb://127.0.0.1/test');
var db = mongoose.connection;
db.on('error', console.error.bind(console, 'connection error:'));
db.once('open', function callback () {
console.log('Connected to DB');
});
var schema = {
name: {
type: 'String',
dataTableSelect: false
},
password: {
type: 'String'
},
created: {
type: 'Date',
default: Date.now(),
dataTableSelect: false
}
};
var mongooseSchema = new modelSchema(schema);
var usersModel = mongoose.model('users', mongooseSchema);
var query = '?sEcho=1&iColumns=2&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=name&mDataProp_1=created&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&_=1413632467737'
var queryData = url.parse(query, true).query;
usersModel.dataTable(queryData, {}, function(err, docs) {
console.log(err);
var result = JSON.stringify(docs, null, 4);
console.log(result);
});
outputs all fields of collection:
{
"sEcho": "1",
"iTotalRecords": 2,
"iTotalDisplayRecords": 2,
"aaData": [
{
"_id": "54424b5bf3e34306fab66920",
"name": "name1",
"password": "password1",
"created": "2014-01-01"
},
{
"_id": "54424b65f3e34306fab66921",
"name": "name2",
"password": "password2",
"created": "2014-01-02"
}
]
}
or real life schema example:
var schema = {
name: {
type: 'String'
},
password: {
type: 'String',
dataTableSelect: false
},
created: {
type: 'Date',
default: Date.now()
}
};
var query = '?sEcho=1&iColumns=1&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=password&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&_=1413632467737'
same output as above
from mongoose-datatable.
Related Issues (20)
- Nested object search HOT 1
- mongoose-datatable-demo does not work with v1.0.4 HOT 2
- Column filtering/searching with regex HOT 8
- Nested object array search (Question) HOT 2
- Default Boolean handler not works for false value HOT 1
- Mongoose Queries HOT 10
- How to set conditions? HOT 1
- performance? HOT 1
- Unmanaged condition on field type: ObjectId HOT 3
- Can't get array data HOT 1
- Not working with __ttl document expiration via mongoose-ttl plugin HOT 2
- Date filtering HOT 5
- No data returned on mongoose 5 with options.conditions HOT 1
- search not working with populate data. HOT 1
- how to sort or order by date ('desc') HOT 1
- MongoDB uses non-optimal query indexes because of sort HOT 6
- Use aggregate with datatable HOT 1
- npm Installs Version 1.0.7 HOT 1
- Query lookup another collection, if not found still return HOT 1
- how to do subquery in formatter
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mongoose-datatable.