reject unsafe mongo query operators#7694
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens Countly’s API boundary by replacing the previous in-place stripping of unsafe MongoDB operators with a validate-and-reject approach. It introduces shared helpers in api/utils/common.js and updates multiple API entrypoints/plugins to either execute a user query exactly as provided or reject it with HTTP 400, preventing silent query rewrites.
Changes:
- Added
common.findUnsafeMongoOperator()andcommon.parseUserQuery()to detect and reject$where/$function/$accumulator(while allowing$expr). - Updated multiple endpoints/plugins to parse/validate incoming query/filter JSON and return
400on invalid JSON or disallowed operators (instead of stripping and continuing). - Added unit tests covering the new helper behavior and the motivating
$exprcustomer query.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/unit-tests/api.utils.common.js | Adds unit tests for findUnsafeMongoOperator and parseUserQuery. |
| api/utils/common.js | Replaces stripping logic with unsafe-operator detection + parse-and-reject helper. |
| api/utils/requestProcessor.js | Uses parseUserQuery at request boundary for app user operations. |
| api/parts/mgmt/app_users.js | Removes silent stripping before /drill/preprocess_query dispatch. |
| api/parts/mgmt/cms.js | Validates request-supplied CMS query via parseUserQuery and rejects on error. |
| api/parts/data/fetch.js | Validates filter query param via parseUserQuery and rejects on error. |
| api/parts/data/exports.js | Validates already-parsed export query via findUnsafeMongoOperator. |
| plugins/systemlogs/api/api.js | Uses parseUserQuery for systemlogs query parsing + rejection. |
| plugins/logger/api/api.js | Uses parseUserQuery for logs filter parsing + rejection. |
| plugins/crashes/api/api.js | Uses parseUserQuery for crashes query parsing + rejection. |
| plugins/compliance-hub/api/api.js | Validates compliance-hub query parsing paths via parseUserQuery. |
| plugins/dbviewer/api/api.js | Switches to reject unsafe operators via findUnsafeMongoOperator (EJSON-aware path). |
| plugins/remote-config/api/api.js | Validates remote-config condition payloads/strings for unsafe operators at ingress. |
| plugins/push/api/legacy.js | Rejects unsafe operators in legacy push audience/drill conditions. |
| plugins/push/api/api-message.js | Rejects unsafe operators in push message filters before DB execution. |
| plugins/push/api/api-tx.js | Rejects unsafe operators in tx filter override after Filter parsing. |
ar2rsawseen
force-pushed
the
fix/reject-unsafe-query-operators
branch
5 times, most recently
from
b6bd6ac to
d39eb02
Compare
Cookiezaurs
approved these changes
Jun 9, 2026
ar2rsawseen
force-pushed
the
fix/reject-unsafe-query-operators
branch
4 times, most recently
from
9092b9f to
19e2b07
Compare
Validate user-supplied Mongo queries at the API boundary and reject those containing $where/$function/$accumulator instead of stripping them in place. $expr is allowed. Queries are validated as decoded objects (keys only) and either run exactly as submitted or are rejected with 400 - they are never modified. Adds common.parseUserQuery / common.findUnsafeMongoOperator and applies validation at the endpoints that accept a query. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ar2rsawseen
force-pushed
the
fix/reject-unsafe-query-operators
branch
from
19e2b07 to
e10933c
Compare
This was referenced Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Validate user-supplied Mongo queries at the API boundary instead of stripping operators in place.
$expr; reject$where/$function/$accumulatorat any depth, including nested inside$expr.400.common.parseUserQuery/common.findUnsafeMongoOperator; validation is applied at the endpoints that accept a query. Unit tests included.Companion (lockstep): Countly/countly-enterprise-plugins#3218