The best way to make Loopback GET query parameters safe? - mongodb

I'm using Loopback 3.x with loopback-connector-mongodb 3.x
Apparently, many built-in endpoints can take a filter parameter which can be defined as JSON and it may contain complex filter conditions like order, where, skip etc.. For example:
GET /api/activities/findOne?filter={"where":{"id":1234}}
However, although Loopback uses an ORM, it seems the request parameters are passed to mongodb without any kind of pre-processing or escaping.
I was unable to find any Loopback API method which could help me make the value safe.
If, for example, the user puts Javascript into the where filter, or adds unsupported characters (such as null char), the app throws an exception an exits.
I'm sure I'm missing something here. What's the best way to make the value passed in filter={...} safe?
Is there a built-in API method for this?
If there isn't, are there any node module I could use?

Thanks for the help guys!
I turned off Javascript in MongoDB and wrote a little middleware to handle escaping. This is registered in middleware.json and thus it runs before every request and escapes the values.
module.exports = function createEscaper(options) {
return function queryEscape(req, res, next) {
if (req.query.filter) {
// escape various things and update the value..
}
next();
};
}
But I find it really strange that neither the MongoDB connector nor Loopback itself provides any solution for this. I mean, these parameters are defined and handled in framework code. It's kinda crazy there is no built-in escaping whatsoever.

You can create a mixin which validates the JSON you receive.
For example:
module.exports = function(Model, options) {
Model.beforeRemote('find', (ctx, instance, next) => {
// Validate the filter object
}
}

Related

Do we have something similar to Pass, Continue and Break statement in Karate? [duplicate]

Find the example here.
def a = condition ? " karate match statement " : "karate match statement"
Is it possible to do something like this??
This is not recommended practice for tests because tests should be deterministic.
The right thing to do is:
craft your request so that the response is 100% predictable. do not worry about code-duplication, this is sometimes necessary for tests
ignore the dynamic data if it is not relevant to the Scenario
use conditional logic to set "expected value" variables instead of complicating your match logic
use self-validation expressions or schema-validation expressions for specific parts of the JSON
use the if keyword and call a second feature file - or you can even set the name of the file to call dynamically via a variable
in some cases karate.abort() can be used to conditionally skip / exit early
That said, if you really insist on doing this in the same flow, Karate allows you to do a match via JS in 0.9.6.RC4 onwards.
See this thread for details: https://github.com/intuit/karate/issues/1202#issuecomment-653632397
The result of karate.match() will return a JSON in the form { pass: '#boolean', message: '#string' }
If none of the above options work - that means you are doing something really complicated, so write Java interop / code to handle this

How to use match keyword inside if condition for UI automation using Karate? [duplicate]

Find the example here.
def a = condition ? " karate match statement " : "karate match statement"
Is it possible to do something like this??
This is not recommended practice for tests because tests should be deterministic.
The right thing to do is:
craft your request so that the response is 100% predictable. do not worry about code-duplication, this is sometimes necessary for tests
ignore the dynamic data if it is not relevant to the Scenario
use conditional logic to set "expected value" variables instead of complicating your match logic
use self-validation expressions or schema-validation expressions for specific parts of the JSON
use the if keyword and call a second feature file - or you can even set the name of the file to call dynamically via a variable
in some cases karate.abort() can be used to conditionally skip / exit early
That said, if you really insist on doing this in the same flow, Karate allows you to do a match via JS in 0.9.6.RC4 onwards.
See this thread for details: https://github.com/intuit/karate/issues/1202#issuecomment-653632397
The result of karate.match() will return a JSON in the form { pass: '#boolean', message: '#string' }
If none of the above options work - that means you are doing something really complicated, so write Java interop / code to handle this

Akka Http Parameter Validation

I have several get routes for my akka-http service; they all have the form:
pathPrefix("compass") {
path("route") {
parameters(('srclat.as[Double], 'srclon.as[Double],
'destlat.as[Double], 'destlon.as[Double])) {
(srclat, srclon, destlat, destlon) =>
complete(getRoute((LatLong(srclat, srclon), LatLong(destlat,
destlon))))
}
}
}
Using Cats Validated data type, I am able to validate both the latitudes and longitudes passed to the method, collecting any values that exceed their ranges in a List[String]. I know there's a validate directive, but I'm not sure if it works for applicative (accumulative) style validation (so if multiple parameters are wrong, I'll get a list of all errors), but I'm not sure how to use the validate directive for this, or if there's a preferred way.
Also, I know parameters is a directive and should be able to be reused-- I have 3 get methods with the same parameters (requiring the same validation), so if there's a way to accomplish this with the least amount of boilerplate, that would be great. Thanks for any suggestions!

Recognize function calls as proxy between frontend and backend

Based on this question I found out I can't expect to find function calls as proxy using 'F' identifier.
I researched more and now I think postgreSQL uses extended query protocol to send parametric statements such as functions. (correct me if I'm wrong)
I know executing prepared-statements will use extended query protocol too (and I think there should be more statements which use this protocol)
So I think this shouldn't be the way to recognize a function call as a proxy. Is there any other way? Is it possible at all? Or am I completely lost and misunderstood everything?
by the way by recognizing function call I mean I need to recognize a function call and investigate passed parameters and function name as a third party in frontend-backend connection (between client and server)
PostgreSQL uses the extended query protocol for statements with parameters, but these parameters are not necessarily the same as function parameters.
To use examples using the C API, if you send a function call like this:
res = PQexec(conn, "SELECT myfun(42)");
it will be sent in a packet with the 'Q' (Query) identifier.
If you send it like this:
const Oid types[1] = { INT4OID };
const char * const vals[1] = { "42" };
res = PQexecParams(conn, "SELECT myfun($1)", 1, types, vals, NULL, NULL, 0);
the query will be sent in a packet with a 'P' (Parse) identifier and the parameter with be sent in the following 'B' (Bind) packet.
But that has nothing to do with function calls, the same will happen for a query like this:
SELECT val FROM mytab WHERE id = $1;
You say your goal is to listen to the frontend-backend protocol and filter out all function calls and the parameters passed to them.
That is a very difficult task; essentially it means that you have to parse the SQL statements sent to the server, and that means you have to duplicate at least part of PostgreSQL's parser. You'll have to remember some parsed statements and inject parameters from bind packets.
In addition to that, two question come to my mind:
Does it matter that this way you won't be able to catch function calls issued inside functions?
How do you determine the passed parameter in cases like this:
SELECT myfun((SELECT val FROM tab WHERE id = 42));
or this:
SELECT myfun(CAST(otherfun(42) || '0' AS integer));
Maybe there's a better way to achieve what you want, like hacking the PostgreSQL server and extracting your information at the place where the function is actually called.

How to write a function that can be executed in LinqToEntities without loading the object

I have a design problem, but don't know how to fix it. I have a Policy object, with a boolean property like so:
public bool IsCancelled
{
get
{
return (CancellationDate != null && Convert.ToDateTime(CancellationDate) < DateTime.Today);
}
}
The problem with this approach is that if I want to get...
context.Policies.where(q => q.IsCancelled)
...LinqToEntities can't execute this against the database; I must load every policy object into memory, like this statement below, which kills performance and is completely unnecessary:
context.policies.ToList().where(q => q.IsCancelled)
A colleague tells me I should be able to use a Func or Expression to do this, but I'm at a loss as to what phrase to even Google for this. Can someone recommend a link or two that explains how to do this?
Keep in mind, I want this to be available to queries like the one above, and to an instance of a Policy object in memory, without having to code the logic twice (DRY and all that).
Thanks.
The problem is your Convert method. I assume CancelationDate is a string. The real problem here is that SQL doesn't do date comparisons as strings, they need to be in date format. This can't be translated to SQL, and thus won't work in the database.
You really should be storing dates as the date type, not as strings. Then it would be trivial. If you can change this, then do it, then no conversion is necessary.
Your other option is to futz with the EntityFunctions, SqlFunctions, DbFunctions to try to make it work.
See:
Comparing date with string Entity Framework