.eslintignore

@@ -0,0 +1 @@
+coverage

.github/ISSUE_TEMPLATE.md

@@ -11,7 +11,15 @@ Immediate support:
 
 <!--
 If feature: A description of the feature
-If bug: Steps to reproduce + link to sample repo
+If bug: Steps to reproduce
+-->
+
+# Link to reproduction sandbox
+
+<!--
+Link to an app sandbox for reproduction
+
+Note: Failure to provide a sandbox application for reproduction purposes will result in the issue being closed.
 -->
 
 # Expected result

.github/PULL_REQUEST_TEMPLATE.md

@@ -6,17 +6,18 @@
 <!--
 Please use the following link syntaxes:
 
-- #49 (to reference issues in the current repository)
-- strongloop/loopback#49 (to reference issues in another repository)
+- connect to #49 (to reference issues in the current repository)
+- connect to strongloop/loopback#49 (to reference issues in another repository)
 -->
 
-- None
+- connect to <link_to_referenced_issue>
 
 ### Checklist
 
 <!--
-Please mark your choice with an "x" (i.e. [x], see
+- Please mark your choice with an "x" (i.e. [x], see
 https://github.com/blog/1375-task-lists-in-gfm-issues-pulls-comments)
+- PR's without test coverage will be closed.
 -->
 
 - [ ] New tests added or existing tests modified to cover all changes

.github/stale.yml

@@ -0,0 +1,23 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 14
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+  - critical
+  - p1
+  - major
+# Label to use when marking an issue as stale
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: >
+  This issue has been closed due to continued inactivity. Thank you for your understanding.
+  If you believe this to be in error, please contact one of the code owners,
+  listed in the `CODEOWNERS` file at the top-level of this repository.

.npmrc

@@ -0,0 +1 @@
+package-lock=false

.travis.yml

@@ -1,16 +1,18 @@
 language: node_js
 node_js:
-  - "4"
   - "6"
+  - "8"
+  - "10"
 env:
   - CXX=g++-4.8
 addons:
   apt:
     sources:
       - ubuntu-toolchain-r-test
+      - mongodb-3.2-precise
     packages:
       - g++-4.8
+      - mongodb-org-server
+      - mongodb-org-shell
 services:
   - mongodb
-before_script:
-  - mongo mydb_test --eval 'db.addUser("travis", "test");'

CHANGES.md

@@ -1,3 +1,113 @@
+2018-08-15, Version 3.6.0
+=========================
+
+ * docs: update with security consideration section (virkt25)
+
+ * fix: sanitize query by default (virkt25)
+
+ * change `count` to `countDocuments` (Rahmat Nugraha)
+
+ * add `useNewUrlParser` on validOptionNames (Rahmat Nugraha)
+
+ * Dedicated Model for testing disableDefaultSort (HugoPoi)
+
+ * Add disableDefaultSort in README (HugoPoi)
+
+ * Add settings disableDefaultSort for find method (HugoPoi)
+
+
+2018-07-23, Version 3.5.0
+=========================
+
+ * chore: drop node 4 and update deps (Taranveer Virk)
+
+ * [WebFM] cs/pl/ru translation (candytangnb)
+
+
+2018-06-05, Version 3.4.4
+=========================
+
+ * Fields projection fix (#436) (John Gonyo)
+
+
+2018-04-06, Version 3.4.3
+=========================
+
+ * update bson version (Diana Lau)
+
+
+2018-03-23, Version 3.4.2
+=========================
+
+ * chore:update CODEOWNERS (Diana Lau)
+
+ * Prioritize db url (Dimitris)
+
+ * CODEOWNERS: add nitro404 (Miroslav Bajtoš)
+
+
+2018-01-19, Version 3.4.1
+=========================
+
+ * fix: allow db name to be parsed from url (Raymond Feng)
+
+
+2018-01-19, Version 3.4.0
+=========================
+
+ * upgrade to mongodb driver 3.x (Raymond Feng)
+
+ * Alias find as findById (jannyHou)
+
+
+2017-12-04, Version 3.3.1
+=========================
+
+ * Switch to bson.ObjectID (#401) (Kevin Delisle)
+
+ * chore: update license (Diana Lau)
+
+
+2017-10-13, Version 3.3.0
+=========================
+
+ * update strong-globalize to 3.1.0 (shimks)
+
+ * Create Issue and PR Templates (#386) (Sakib Hasan)
+
+ * Use stalebot on this repo (#383) (Kevin Delisle)
+
+ * Use stalebot on this repo (Kevin Delisle)
+
+ * Add CODEOWNER file (Diana Lau)
+
+
+2017-07-10, Version 3.2.1
+=========================
+
+ * Apply feedback (ssh24)
+
+ * Add docs on lazyConnect flag (ssh24)
+
+
+2017-06-28, Version 3.2.0
+=========================
+
+ * Remove the hard-coded writeConcern (Raymond Feng)
+
+ * Document strictObjectIDCorecion flag (Loay)
+
+ * Allow different forms of regexp on like/nlike op (ssh24)
+
+ * Require init on mocha args (ssh24)
+
+ * Use buildSort function to sort (ssh24)
+
+ * Add docker setup (#373) (Sakib Hasan)
+
+ * test: use mongodb-3.2 on Travis (#369) (Ryan Graham)
+
+
 2017-04-17, Version 3.1.0
 =========================
 

CODEOWNERS

@@ -0,0 +1,6 @@
+# Lines starting with '#' are comments.
+# Each line is a file pattern followed by one or more owners,
+# the last matching pattern has the most precendence.
+
+# Current maintainers
+* @jannyHou @loay @b-admike @virkt25 @dhmlau @shimks @nitro404

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) IBM Corp. 2012,2016. All Rights Reserved.
+Copyright (c) IBM Corp. 2012,2017. All Rights Reserved.
 Node module: loopback-connector-mongodb
 This project is licensed under the MIT License, full text below.
 

README.md

@@ -60,6 +60,12 @@ Edit `datasources.json` to add any other additional properties that you require.
 `$pop`, `$pullAll`, `$pull`, `$pushAll`, `$push`, and `$bit`.  Default is `false`.
 - **enableGeoIndexing**: Set to `true` to enable 2dsphere indexing for model properties
 of type `GeoPoint`. This allows for indexed ```near``` queries.  Default is `false`.
+- **lazyConnect**: 
+  - Default is `false`.
+  - If set to `true`, the database instance will not be attached to the datasource and the connection is deferred.
+  - It will try to establish the connection automatically once users hit the endpoint. If the mongodb server is offline, the app will start, however, the endpoints will not work.
+- **disableDefaultSort**: Set to `true` to disable the default sorting
+  behavior on `id` column, this will help performance using indexed columns available in mongodb.
 
 ### Setting the url property in datasource.json
 
@@ -85,6 +91,23 @@ For example, for production, use `datasources.production.json` as follows (for e
 
 For more information on setting data source configurations for different environments, see [Environment-specific configuration](https://loopback.io/doc/en/lb3/Environment-specific-configuration.html#data-source-configuration).
 
+## Security Considerations
+
+MongoDB Driver allows the `$where` operator to pass in JavaScript to execute on the Driver which can be used for NoSQL Injection. See [MongoDB: Server-side JavaScript](https://docs.mongodb.com/manual/core/server-side-javascript/) for more on this MongoDB feature.
+
+To protect users against this potential vulnerability, LoopBack will automatically **remove** the `$where` and `mapReduce` operators from a query before it's passed to the MongoDB Driver. If you need to use these properties from within LoopBack programatically, you can disable the sanitization by passing in an `options` object with `disableSanitization` property set to `true`.
+
+**Example:**
+```js
+Post.find(
+    {where: {$where: 'function() { /*JS function here*/}'}},
+    {disableSanitization: true},
+    (err, p) => {
+        // code to handle results / error.
+    }
+);
+```
+
 ## Type mappings
 
 See [LoopBack types](http://loopback.io/doc/en/lb3/LoopBack-types.html) for details on LoopBack's data types.
@@ -133,12 +156,28 @@ authentication enabled.
 
 ## Running tests
 
-The tests in this repository are mainly integration tests, meaning you will need
-to run them using our preconfigured test server.
+### Own instance
+If you have a local or remote MongoDB instance and would like to use that to run the test suite, use the following command:
+- Linux
+```bash
+MONGODB_HOST=<HOST> MONGODB_PORT=<PORT> MONGODB_DATABASE=<DATABASE> CI=true npm test
+```
+- Windows
+```bash
+SET MONGODB_HOST=<HOST> SET MONGODB_PORT=<PORT> SET MONGODB_DATABASE=<DATABASE> SET CI=true npm test
+```
 
-1. Ask a core developer for instructions on how to set up test server
-   credentials on your machine
-2. `npm test`
+### Docker
+If you do not have a local MongoDB instance, you can also run the test suite with very minimal requirements.
+- Assuming you have [Docker](https://docs.docker.com/engine/installation/) installed, run the following script which would spawn a MongoDB instance on your local:
+```bash
+source setup.sh <HOST> <PORT> <DATABASE>
+```
+where `<HOST>`, `<PORT>` and `<DATABASE>` are optional parameters. The default values are `localhost`, `27017` and `testdb` respectively.
+- Run the test:
+```bash
+npm test
+```
 
 ### Leak detection
 
@@ -165,6 +204,66 @@ make benchmarks
 
 The results will be output in `./benchmarks/results.md`.
 
+## strictObjectIDCoercion flag
+
+In version 1.17.0, the id of string type is being converted to ObjectID, when the string length is 12 or 24 and has the format of an ObjectID i.e /^[0-9a-fA-F]{24}$/. To avoid this issue, the strictObjectIDCoercion flag should be set to true in the model-definition file.
+
+model-definition.js
+
+```js
+{
+  "name": "myModelName",
+  "base": "PersistedModel",
+  "idInjection": false,
+  "options": {
+    "validateUpsert": true,
+    "strictObjectIDCoercion": true
+  },
+...
+}
+```
+boot-script.js
+
+```js
+'use strict';
+var util = require('util');
+
+module.exports = function(app) {
+  var db = app.dataSources.mongoDs;
+  var myModelName = app.models.myModelName;
+
+  db.automigrate(function(err) {
+    if (err) throw err;
+    console.log('Automigrate complete');
+
+    myModelName.create([{
+      id: '59460487e9532ae90c324b59',
+      name: 'Bob',
+    }, {
+      id: '59460487e9532ae90c324b5a',
+      name: 'Sam',
+    }, {
+      id: '420',
+      name: 'Foo',
+      age: 1,
+    }, {
+      id: '21',
+      name: 'Bar',
+    }], function(err, result) {
+      if (err) throw err;
+      console.log('\nCreated instances of myModelName: ' + util.inspect(result, 4));
+
+      myModelName.find({where: {id: {inq: ['59460487e9532ae90c324b59',
+        '59460487e9532ae90c324b5a']}}},
+      function(err, result) {
+        if (err) throw err;
+        console.log('\nFound instance with inq: ' + util.inspect(result, 4));
+      });
+    });
+  });
+};
+```
+
 ## Release notes
 
   * 1.1.7 - Do not return MongoDB-specific _id to client API, except if specifically specified in the model definition