Fix prevent changes and discard hooks #406
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ard-hooks Fix prevent changes and discard hooks
|
I'll merge the changes if you fix the tests. Otherwise I'll fix the tests when I next work on the repo.
|
|
Thank you for your feedback! I'll have a look at the tests this week. |
…e {data : {'user.firstName' : 'John'}}.
|
Hey @eddyystop, |
|
I like these changes. Thanks! Published as 4.14.3 . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Enable the hooks discard and preventChanges to delete properties containing a dot.
(If you have not already please refer to the contributing guideline as described
here)
Problem
This is about nested objects in PATCH requests. A PATCH request for MongoDB can either replace an entire object through a request like this:
{ "contactPerson": { "lastName": "Doe", "firstName" "John" } }or it can update an individual property like this:
{ "contactPerson.firstName" "Jane" } }In the latter case, only the property
firstNameis will be updated, whilelastNamewill stay intact.The MongoDB documentation explains this here: https://docs.mongodb.com/manual/reference/operator/update/set/#up._S_set (feathers-mongoose implicitly wraps the object from a PATCH request with a {$set : ...} object).
Currently, however, both
discard('contactPerson.firstName')andpreventChanges(false, 'contactPerson.firstName')only catch the first PATCH object and ignore the second one.Expectation
The discard hook would remove both property formats from the PATCH request to prevent updating e. g. passwords, usernames etc.
I would bet that quite a few systems are currently subject to an attack because their owners assume that both discard and preventChanges remove the second PATCH format as well.
Solution
Both hooks check whether there is a property containing the dot on the object itself. If so, delete that property.
The previous behavior remains unchanged: The dot notation will also traverse the object tree. So, both context.data.contactPerson.firstName and context.data['contactPerson.firstName'] will be caught.
If so, please mention them to keep the conversations linked together.
Other Information
If there's anything else that's important and relevant to your pull
request, mention that information here. This could include
benchmarks, or other information.
Your PR will be reviewed by a core team member and they will work with you to get your changes merged in a timely manner. If merged your PR will automatically be added to the changelog in the next release.
If your changes involve documentation updates please mention that and link the appropriate PR in feathers-docs.
Thanks for contributing to Feathers! ❤️