[Feature] Add option to disable filters on each method

[yhojann-cl]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

The problem is that every time you work with the express framework or any other for rest services you need two types of redundant input validations, the one that belongs to the controller and the one that belongs to the data layer.

For example, I have a collection called users which has a field called name, in mongoose I can define the data type as String and a regular expression to validate its content, but from the controller, every time a user wants to search for a list of users through their name I must use a second validation (for example with jsonschema) which validates that the name property is of type string since if it is passed directly to the findOne function of mongoose it could cause a vulnerability of type NoSQL injection and bring unexpected information.

The same thing happens in other types of selections such as accessing the user account or searching for a document through its id, the end user could send a conditional object instead of plain text with the bsonId string, especially when these Data travels through the body of the post or patch request.

In summary, for each project, redundant validations must be created for almost each mongoose function to avoid unexpected executions in the functions to be executed in mongodb and this significantly increases the amount of code and complicates the development architecture, forcing the creation of additional layers of validation or custom methods that duplicate the native functions for each model to be created.

To avoid this problem, i propose something very simple, create an option to temporarily disable the use of filters in the objects that are sent as arguments in the mongoose functions, this would allow the user's input to be used in the development of the application. direct and unfiltered in a completely safe way when performing simple searches.

If the schema says that a field is of type String, then it will automatically reject any data type other than String if filters are disabled.

References:

• https://portswigger.net/web-security/nosql-injection
• https://book.hacktricks.xyz/pentesting-web/nosql-injection
• https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection.html

Motivation

Improve security and save redundant code.

Example

const schema = new mongoose.Schema({
    name: {
        type: String,
        required: true,
        validate: val => !!val.match(/^[a-zA-ZáéíóúñÁÉÍÓÚÑ\s,'"`]{1,32}$/) // Why not pattern attribute?
    }
});
const model = mongoose.model('users');

const router = express.Router();
router.get(`/users`, async (req, res, next) => {
    const documents = await model
        .find({ name: $regex: req.query.search })
        .sort({ name: 'asc' })
        .options({ filters: false }) // <- Proposal here!
        .exec();
    res.status(200).json(documents);
    next();
});

This would help improve the security of everything that is sent to mongoose and reduce the number of vulnerable projects, it would also save a lot of code and work time by avoiding having to create additional validations, especially when there is more than one attribute to control where not all They are of type String.

[vkarpov15]

What you're describing sounds like the sanitizeFilter option we introduced in Mongoose 6, see docs and intro blog post.

    // The following will throw an error if `req.query.search` is `{ $regex: 'abc' }` or `{ $lt: 'test' }` or any other query filter
    const documents = await model
        .find({ name: req.query.search })
        .sort({ name: 'asc' })
        .options({ sanitizeFilter: true })
        .exec();

Does the sanitizeFilter option sound like it fixes your issue?

[yhojann-cl]

But apparently it does not strictly sanitize according to the property type and it is still possible to send data types that do not correspond to the schema, for example:

console.log(mongoose.version); // 7.0.3
await mongoose.connect('mongodb://localhost:27017/mongoose_test');
const schema = new mongoose.Schema({ name: String });
const TestModel = mongoose.model('Test', schema);

const doc = new TestModel({ name: 'foobar' });
await doc.save();

const docs = await TestModel.find({ name: [ 'foobar' ] }).setOptions({ sanitizeFilter: true }).exec();
console.log(docs);

The results is:

[ { name: 'foobar',
    _id: new ObjectId("666d04f039e8d300b31d303f"),
    __v: 0 } ]

In the name property can send an array instead of a string value with disabled filters in options.

What I propose is an option for the input data to adhere to the schema and not just a simple elimination of filters that begin with the $ character. Or could it be a bug in that option?.

[github-actions]

This issue is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days

[github-actions]

This issue was closed because it has been inactive for 19 days and has been marked as stale.

[vkarpov15]

#14985 adds a fix for the await TestModel.find({ name: [ 'foobar' ] }).sanitizeFilter() issue you mentioned.

If you want to disable casting for all strings (both in queries and when creating new documents), you can use mongoose.Schema.Types.String.set('cast', false);. For example, the following script throws a CastError even though Mongoose normally would convert the given Date to a string

import mongoose from 'mongoose';
import assert from 'assert';

mongoose.set('debug', true);
mongoose.Schema.Types.String.set('cast', false);

await mongoose.connect('mongodb://localhost:27017/mongoose_test');
const schema = new mongoose.Schema({
  name: { 
    type: String,
  }
});
const TestModel = mongoose.model('Test', schema);
await TestModel.deleteMany({});

const doc = new TestModel({ name: 'foobar' });
await doc.save();

// Throws a CastError
const docs2 = await TestModel.find({ name: new Date() }).setOptions({ sanitizeFilter: true }).exec();

We will consider adding an option to disable casting on a particular query, like await TestModel.find({ name: new Date() }).setOptions({ sanitizeFilter: true, cast: false }). But given that you seem to want to disable query casting on all queries, I think mongoose.Schema.Types.String.set('cast', false); is the way to go for your use case.

[vkarpov15]

We're going to close this issue, because we think that sanitizeFilters() with the fix in #14985 and cast: false + mongoose.Schema.Types.String.set('cast', false) is sufficient to address OP's use case of wanting to disable coercion of values in query filters.