Comments (11)
I follow what you're saying. MongoDB might reject it though...? Have you tried inserting a malformed one?
The arg._bsontype==="ObjectID"
statement was added for those that have both js-bson
(likely via mongo
) AND this library installed for whatever need.... and mingle the ObjectIDs between the modules. I suppose we could remove it and just cause it to generate a new instance based off the input? Meaning, if an instance from js-bson
was passed in, it will create a new one since instanceof
will fail.
from bson-objectid.
Ideally, it'd be best if Mongo would break ObjectID in to it's own module!
Perhaps after all these years, they'll reconsider now that this module has gained > 30,000 weekly downloads & 237 public NPM defendants (2100 uses according to Github)! :)
from bson-objectid.
Thanks for the quick response.
I think removing _bsontype == "ObjectID"
will work and I agree with you that it is better if ObjectID can be a standalone module for flexibility and consistency consideration.
from bson-objectid.
Hi, i noticed that this issue has a CVE now (CVE-2019-19729), any plans on removing _bsontype == "ObjectID"
and pushing a new release?
from bson-objectid.
From what I've found so far-
The payload needs to have an id
property (getter at minimum) or it will cause an error and insert fails.
Error: object [{"mal_formkey":{"payload":"xxxx"},"_bsontype":"ObjectID"}] is not a valid ObjectId at serializeObjectId ([...]/node_modules/mongodb/node_modules/bson/lib/bson/parser/serializer.js:287:11)
When it is converted to BSON, the BSON serializer looks at the _bsontype
and converts it to the binary representation based on that type. So, even if there is extra data, there isn't anywhere for it to be serialized to.
Therefor, the risk of this being persisted to a MongoDB seems really low.
BUT, that's only for MongoDB. ObjectID
s are now used in many different places. (e.g.: Redis, SQL, flat files...) So, I can't gauge the risk to those unknown possibilities and it seems wise to just be sure there isn't a problem.
bson
's ObjectID now uses a Buffer for the id
property. This module was created when ObectID
used a String
to store the data. A benefit of using a Buffer
is that it cannot be created from JSON. I think this module should follow suit with a major version bump. It has always used a Buffer under the hood anyhow.
I can remove _bsontype === "ObjectID"
but there will be a performance impact (albeit only observed by high load codebases). With id
being a buffer- I could, alternatively, add a Buffer.isBuffer
check of the id
property.
I've likely missed a point of view- so I wanted to throw this out there first. Thoughts?
from bson-objectid.
Thanks for disclosing the potential risk of this issue.
For your performance concern, I think we might still be able to keep the"short cut" of objectid identification. However, a more reliable metric should be adapted. For example, instead of detecting bsontype, we can detect some build-in function inheriting from ObjectID (if any). This is more reliable since attackers can't send function instance via json.
from bson-objectid.
Indeed! Maybe could use toHexString()
since it exists on their prototypes.
from bson-objectid.
Sound good!
from bson-objectid.
Can anyone submit a PR for this?
from bson-objectid.
Closing until PR submitted.
from bson-objectid.
🛠️ A fix has been provided for this issue. Please reference: 418sec#2
🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.
from bson-objectid.
Related Issues (20)
- Publishing `.idea` folder to npm HOT 1
- Can you make this work in a browser? HOT 1
- Typescript errors HOT 3
- Cannot get version 1.2.4 from npm HOT 2
- Wrong typing for getTimestamp() HOT 1
- ObjectID.isValid should check that `typeof toString === 'function'` otherwise if it's not an object and doesn't have a `toString` then it would return false HOT 5
- No changelog HOT 2
- Cannot use namespace 'Buffer' as a type. HOT 3
- Typescript import issue HOT 2
- Types have not been updated and ObjectId.generate is no longer being exported HOT 2
- ObjectID.isValid function return true for number HOT 7
- Globally Unique HOT 6
- Api is not matching the one from `bson` - `createFromTime` HOT 1
- Api is not matching the one from `bson` - `getTimestamp` HOT 4
- Getter ObjectID.str returns undefined HOT 1
- IsValid returns true for invalid binary data HOT 2
- Uncaught ReferenceError: _Buffer is not defined HOT 2
- Type for ObjectID does not match mongodb ObjectId HOT 1
- Buffer types are not checked properly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bson-objectid.