You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+19-2
Original file line number
Diff line number
Diff line change
@@ -65,8 +65,8 @@ of type `GeoPoint`. This allows for indexed ```near``` queries. Default is `fal
65
65
- If set to `true`, the database instance will not be attached to the datasource and the connection is deferred.
66
66
- It will try to establish the connection automatically once users hit the endpoint. If the mongodb server is offline, the app will start, however, the endpoints will not work.
67
67
-**disableDefaultSort**: Set to `true` to disable the default sorting
68
-
behavior on `id` column, this will help performance using indexed
69
-
columns available in mongodb.
68
+
behavior on `id` column, this will help performance using indexed columns available in mongodb.
69
+
70
70
### Setting the url property in datasource.json
71
71
72
72
You can set the `url` property to a connection URL in `datasources.json` to override individual connection parameters such as `host`, `user`, and `password`.
@@ -91,6 +91,23 @@ For example, for production, use `datasources.production.json` as follows (for e
91
91
92
92
For more information on setting data source configurations for different environments, see [Environment-specific configuration](https://loopback.io/doc/en/lb3/Environment-specific-configuration.html#data-source-configuration).
93
93
94
+
## Security Considerations
95
+
96
+
MongoDB Driver allows the `$where` operator to pass in JavaScript to execute on the Driver which can be used for NoSQL Injection. See [MongoDB: Server-side JavaScript](https://docs.mongodb.com/manual/core/server-side-javascript/) for more on this MongoDB feature.
97
+
98
+
To protect users against this potential vulnerability, LoopBack will automatically **remove** the `$where` and `mapReduce` operators from a query before it's passed to the MongoDB Driver. If you need to use these properties from within LoopBack programatically, you can disable the sanitization by passing in an `options` object with `disableSanitization` property set to `true`.
99
+
100
+
**Example:**
101
+
```js
102
+
Post.find(
103
+
{where: {$where:'function() { /*JS function here*/}'}},
104
+
{disableSanitization:true},
105
+
(err, p) => {
106
+
// code to handle results / error.
107
+
}
108
+
);
109
+
```
110
+
94
111
## Type mappings
95
112
96
113
See [LoopBack types](http://loopback.io/doc/en/lb3/LoopBack-types.html) for details on LoopBack's data types.
0 commit comments