Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable select: false fields to query from specific find() operations even try get explicitly. #14333

Closed
2 tasks done
sifatullahsu opened this issue Feb 4, 2024 · 1 comment
Closed
2 tasks done

Disable select: false fields to query from specific find() operations even try get explicitly. #14333

sifatullahsu opened this issue Feb 4, 2024 · 1 comment
Labels
discussion If you have any thoughts or comments on this issue, please share them! enhancement This issue is a user-facing general improvement that doesn't fix a bug or add a new feature new feature This change adds new functionality, like a new method or class
Milestone
8.5

Comments

@sifatullahsu
Copy link

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

We all know about select:false & sanitizeProjection what it does. For certain query operations like find(), findById(), or findOne(), I, as a developer, want to ensure that no sensitive data is queried. I intend to disable the inclusion of such fields explicitly, even when attempting to retrieve them using syntax like find({}, '+password') or through population like .populate({ path: 'users', select: '+password' }). If I provide sanitizeProjection as an optional parameter, it should handle this exclusion for me.

Here we handle the projection and population from query parameter.

Or any other suggestions?

Example:

const userSchema = new Schema({
  name: { type: String, required: true },
  password: { type: String, required: true, select: false }
})

const result = await User.find({}, '+password', {
  sanitizeProjection: true
})

// At this point it return "name" and "password" both
// Requested features will return only "name"

Motivation

Motivation

The motivation stems from the ongoing development of the mongoose-query-maker package, where precise control over query parameters is fundamental for filtering, pagination, selection, and population in a controlled way with proper security via query parameter. Currently we're developing v3 for this, which can make it very easier from v2.

Example

No response
@sifatullahsu sifatullahsu added enhancement This issue is a user-facing general improvement that doesn't fix a bug or add a new feature new feature This change adds new functionality, like a new method or class labels Feb 4, 2024
@vkarpov15
Copy link
Collaborator

sanitizeProjection is more to protect against cases like UserModel.findById(_id).select({ name: '$password' });, which would replace the name field with the contents of the password field. That's currently the only purpose for sanitizeProjection.

However, you do make a good point that sanitizeProjection should protect against sensitive data ending up in the result. We will consider adding this for our next release and see if this breaks any existing tests.

@vkarpov15 vkarpov15 added this to the 8.2 milestone Feb 7, 2024
@vkarpov15 vkarpov15 added the discussion If you have any thoughts or comments on this issue, please share them! label Feb 7, 2024
@vkarpov15 vkarpov15 modified the milestones: 8.2, 7.x Unprioritized Feb 20, 2024
@vkarpov15 vkarpov15 modified the milestones: 7.x Unprioritized, 8.5 Jun 5, 2024
vkarpov15 added a commit that referenced this issue Jul 1, 2024
@vkarpov15
Merge branch '8.5' into vkarpov15/gh-14333
eb7deb0
vkarpov15 added a commit that referenced this issue Jul 3, 2024
@vkarpov15
Merge pull request #14691 from Automattic/vkarpov15/gh-14333
f48df23 
feat(query): make sanitizeProjection prevent projecting in paths deselected in the schema
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion If you have any thoughts or comments on this issue, please share them! enhancement This issue is a user-facing general improvement that doesn't fix a bug or add a new feature new feature This change adds new functionality, like a new method or class
Projects
None yet
Milestone
8.5
Development

No branches or pull requests
2 participants
@vkarpov15 @sifatullahsu