Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add option to disable $where clause #155

Closed
shanejonas opened this issue Sep 21, 2020 · 3 comments
Closed

add option to disable $where clause #155

shanejonas opened this issue Sep 21, 2020 · 3 comments
Labels
enhancement

Comments

@shanejonas
Copy link

shanejonas commented Sep 21, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
I'm trying to use mingo to allow querying a just subset of data via an API, but i'd like to not allow $where or any eval clauses.

Describe the solution you'd like
As a user of mingo, for security purposes, I'd like to not allow any evals in queries such as $where: "this.foo && this.bar", is theres a way to disable it?

Additional context
Heres the reference on how to disable this in the mongodb documentation:

image

source: https://docs.mongodb.com/manual/reference/operator/query/where/#javascript-enablement
@kofrasa
Copy link
Owner

kofrasa commented Oct 15, 2020

This seems reasonable. I will see if I can add it to the next release

@kofrasa
Copy link
Owner

kofrasa commented Jan 7, 2021

In the next release $where will not be registered by default and must be included explicitly by users.

@kofrasa
Copy link
Owner

kofrasa commented Jan 7, 2021

Fixed in 4.0.0

@kofrasa kofrasa closed this as completed Jan 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shanejonas @kofrasa