How dangerous is a mongo query which is fed directly from a URL query string?

Question

I am playing around with node.js, express, and mongoose.

For the sake of getting something up and running right now I am passing the Express query string object dire

Answer 1

As far as i know Express doesnt provide any out of box control for sanitization. Either you can write your own Middleware our do some basic checks in your own logic.And as you said the case you mention is a bit risky.

But for ease of use the required types built into Mongoose models at least give you the default sanitizations and some control over what gets into or not.

E.g something like this

var Person = new Schema({
  title   : { type: String, required: true }
, age     : { type: Number, min: 5, max: 20 }
, meta    : {
      likes : [String]
    , birth : { type: Date, default: Date.now }
  }

});

Check this for more info also.

http://mongoosejs.com/docs/2.7.x/docs/model-definition.html