reject unsafe mongo query operators (backport 24.05)#7696
Merged
ar2rsawseen merged 2 commits intoJun 10, 2026
Conversation
Backport to release.24.05. Validate user-supplied Mongo queries at the API boundary and reject those containing $where/$function/$accumulator instead of stripping them in place. $expr is allowed. Queries are validated as decoded objects and either run exactly as submitted or are rejected with 400 - never modified. Adds common.parseUserQuery / common.findUnsafeMongoOperator / common.reqInfo and a near-total app_users delete guard (force still allowed; matching ~all users requires confirm_delete_all=true). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cookiezaurs
approved these changes
Jun 9, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR backports the “reject unsafe mongo query operators” hardening to release.24.05 by moving validation to API boundaries (rejecting requests) instead of mutating user-supplied Mongo queries in-place, while also adding a safety net for near-total /i/app_users/delete operations.
Changes:
- Introduces
common.findUnsafeMongoOperator,common.parseUserQuery, andcommon.reqInfo, and replaces prior “strip” behavior with request rejection (400) at multiple endpoints. - Updates multiple plugins/endpoints to validate user-supplied query/filter JSON and log rejections with endpoint context.
- Adds an extra guard for
/i/app_users/deletewhenforcedeletes would match nearly all users, requiringconfirm_delete_all=true.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
test/unit-tests/api.utils.common.js |
Adds unit coverage for findUnsafeMongoOperator and parseUserQuery. |
plugins/systemlogs/api/api.js |
Parses + validates query via parseUserQuery and rejects invalid/unsafe queries. |
plugins/remote-config/api/api.js |
Rejects configs/conditions containing unsafe operators before storing/dispatching. |
plugins/push/api/legacy.js |
Validates userConditions/drillConditions for unsafe operators in legacy push validation. |
plugins/push/api/api-tx.js |
Validates request-supplied tx filters for unsafe operators before dispatching. |
plugins/push/api/api-message.js |
Validates message filter queries for unsafe operators during message validation. |
plugins/logger/api/api.js |
Validates filter via parseUserQuery and rejects unsafe queries in logs fetch endpoint. |
plugins/dbviewer/api/api.js |
Rejects unsafe operators in user-supplied dbviewer filter/sort (post-EJSON parse). |
plugins/crashes/api/api.js |
Validates crashes query param via parseUserQuery and rejects unsafe queries. |
plugins/compliance-hub/api/api.js |
Validates compliance-hub query inputs via parseUserQuery at multiple endpoints. |
api/utils/requestProcessor.js |
Uses parseUserQuery for /i/app_users/* query inputs and adds near-total force-delete guard. |
api/utils/common.js |
Replaces stripping helper with operator detection + query parsing/validation + log-safe request context helper. |
api/parts/mgmt/cms.js |
Validates CMS query via parseUserQuery and rejects invalid/unsafe queries. |
api/parts/mgmt/app_users.js |
Removes in-place stripping in mgmt app_users methods (relying on boundary validation). |
api/parts/data/fetch.js |
Validates filter via parseUserQuery for fetchAllApps. |
api/parts/data/exports.js |
Rejects unsafe operators in export queries before preprocess + DB find. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…p sentinel to a clear message via common.unsafeQueryError Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #7694 to release.24.05.
Validate user-supplied Mongo queries at the API boundary instead of stripping operators in place.
$expr; reject$where/$function/$accumulatorat any depth (incl. nested inside$expr).400.common.parseUserQuery/common.findUnsafeMongoOperator/common.reqInfo; validation applied at the endpoints that accept a query, with rejection logged at the call site (endpoint in the message)./i/app_users/deleteguard:forcestill allowed, but matching ~all users requiresconfirm_delete_all=true.Cherry-picked cleanly onto release.24.05 (only the root CLAUDE.md, which doesn't exist on this branch, was dropped). Unit tests included.
Companion (lockstep): Countly/countly-enterprise-plugins backport branch
backport/reject-unsafe-query-operators-24.05.