Skip to content

Turn off "don't cast update pipelines by default" in favor of a more secure approach #14424

New issue
New issue
Closed
Closed
Turn off "don't cast update pipelines by default" in favor of a more secure approach#14424
Labels
backwards-breakingdiscussionIf you have any thoughts or comments on this issue, please share them!
Milestone
9.0
@vkarpov15

Description

@vkarpov15
vkarpov15
opened on Mar 7, 2024

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the issue has not already been raised

Issue

In working on #14400, I got to thinking that the fact that update pipelines aren't casted may be risky for data integrity issues. Passing in untrusted data may lead to bypassing Mongoose casting entirely.

// If `req.body.updates` is an array, no casting, so can add arbitrary fields and incorrect types for existing fields
await User.findOneAndUpdate({ _id: req.body.id }, req.body.updates);

We should consider making update pipelines opt-in, either using a mongoose.updatePipeline() helper:

await User.findOneAndUpdate({ _id: req.body.id }, mongoose.updatePipeline([{ $set: { name: 'foo' } }]));

or with an updatePipeline option:

await User.findOneAndUpdate({ _id: req.body.id }, [{ $set: { name: 'foo' } }], { updatePipeline: true });

What do you think @hasezoey @AbdelrahmanHafez ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    backwards-breakingdiscussionIf you have any thoughts or comments on this issue, please share them!

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions