Commit 292bb4a9 authored by arcter's avatar arcter
Browse files

Protection against NoSQLi

parent e34c9cfa
Pipeline #4722 failed with stages
in 1 minute and 6 seconds
> kszkepzes-backend@0.1.0 test /home/arcter/backend
> cross-env NODE_ENV=testing jest --forceExit --detectOpenHandles "src/resources/news/__tests__/newsFuncTest.js"
GET /api/v1/login/mock/accepted 200 41.803 ms - -
GET /api/v1/news/5f21e15660bf0da53b5e0434 200 21.219 ms - 117
GET /api/v1/login/mock/accepted 200 26.331 ms - -
console.error
{ CastError: Cast to ObjectId failed for value "almafa" at path "_id" for model "news"
at model.Query.exec (/home/arcter/backend/node_modules/mongoose/lib/query.js:4351:21)
at exports.default.getOne (/home/arcter/backend/src/resources/news/newsControllers.js:11:8)
at Layer.handle [as handle_request] (/home/arcter/backend/node_modules/express/lib/router/layer.js:95:5)
at next (/home/arcter/backend/node_modules/express/lib/router/route.js:137:13)
at isLoggedIn (/home/arcter/backend/src/middlewares/auth.js:5:24)
at Layer.handle [as handle_request] (/home/arcter/backend/node_modules/express/lib/router/layer.js:95:5)
at next (/home/arcter/backend/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/home/arcter/backend/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/home/arcter/backend/node_modules/express/lib/router/layer.js:95:5)
at /home/arcter/backend/node_modules/express/lib/router/index.js:281:22
at param (/home/arcter/backend/node_modules/express/lib/router/index.js:354:14)
at param (/home/arcter/backend/node_modules/express/lib/router/index.js:365:14)
at Function.process_params (/home/arcter/backend/node_modules/express/lib/router/index.js:410:3)
at next (/home/arcter/backend/node_modules/express/lib/router/index.js:275:10)
at Function.handle (/home/arcter/backend/node_modules/express/lib/router/index.js:174:3)
at router (/home/arcter/backend/node_modules/express/lib/router/index.js:47:12)
messageFormat: undefined,
stringValue: '"almafa"',
kind: 'ObjectId',
value: 'almafa',
path: '_id',
reason:
Error: Argument passed in must be a single String of 12 bytes or a string of 24 hex characters
at new ObjectID (/home/arcter/backend/node_modules/bson/lib/bson/objectid.js:59:11)
at castObjectId (/home/arcter/backend/node_modules/mongoose/lib/cast/objectid.js:25:12)
at ObjectId.cast (/home/arcter/backend/node_modules/mongoose/lib/schema/objectid.js:267:12)
at ObjectId.SchemaType.applySetters (/home/arcter/backend/node_modules/mongoose/lib/schematype.js:1031:12)
at ObjectId.SchemaType._castForQuery (/home/arcter/backend/node_modules/mongoose/lib/schematype.js:1459:15)
at ObjectId.SchemaType.castForQuery (/home/arcter/backend/node_modules/mongoose/lib/schematype.js:1449:15)
at ObjectId.SchemaType.castForQueryWrapper (/home/arcter/backend/node_modules/mongoose/lib/schematype.js:1428:15)
at cast (/home/arcter/backend/node_modules/mongoose/lib/cast.js:326:32)
at model.Query.Query.cast (/home/arcter/backend/node_modules/mongoose/lib/query.js:4740:12)
at model.Query.Query._castConditions (/home/arcter/backend/node_modules/mongoose/lib/query.js:1865:10)
at model.Query.<anonymous> (/home/arcter/backend/node_modules/mongoose/lib/query.js:2122:8)
at model.Query._wrappedThunk [as _findOne] (/home/arcter/backend/node_modules/mongoose/lib/helpers/query/wrapThunk.js:16:8)
at process.nextTick (/home/arcter/backend/node_modules/kareem/index.js:369:33)
at process._tickCallback (internal/process/next_tick.js:61:11) }
21 | if (err.name === 'CastError') {
22 | // Throwed by Mongoose
> 23 | console.error(err)
| ^
24 | return res.status(422).json({ message: 'Invalid ID provided' })
25 | }
26 |
at exports.default.getOne (src/resources/news/newsControllers.js:23:15)
GET /api/v1/news/almafa 422 17.349 ms - 33
GET /api/v1/login/mock/accepted 200 17.865 ms - -
......@@ -6,7 +6,7 @@ const cors = require('cors')
const morgan = require('morgan')
const passport = require('passport')
const cookieSession = require('cookie-session')
var filter = require('content-filter')
require('dotenv').config()
const routers = require('./routers')
......@@ -44,6 +44,9 @@ app.use(
app.use(passport.initialize())
app.use(passport.session())
//NoSQLI prevention
app.use(filter());
if (!config.default.isTest || config.default.isDev) {
require('./utils/oauthSetup')
app.get(
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment