There is two fields in a Mongoose model, Thing, of which only one (secure) should be set through:
var db = is required ('magos'); Var schema = new db. Schema ({secure: {type: string}, // insecure via static mass assignment: {type: string} // is not set via mass assignment}); Db.model ('thing', schema); An administrator has set the thigh by passing the parameters:
export.create = function (req, res) {var thing = new thing ( Req.body)); // more... }; An attacker might try to set anything up. Unsmitted is set in by a JSON POST request. It should be stopped.
It would be nice if I found some kind of rail attr_accessible functionality for Mongoose, but it's nothing I see. For one thing, the Mongoose-Mass-Assignment apparently requires the use of a new API (two demographic functions). I want to work on a large scale for any native silly model function, in which the ultimate hash is passed, for example, Thing Constructor and Thing .create function.
How do I get a mass assignment for the Mongoose model? If not available, how can the Mongoose users currently save from this vulnerability?
FaceSpam: var thing = new thing (req.body ); little saner:
var okFields = {}; OkFields.safe = req.body.safe var thing = new thing (okFields); // Assistant to Whitelist from Underscores: _pk (Req; A, "secure"); // Feel free to add anything, Yoko, data validation here or in Mongoos do not just do this. Rail has taught you a terrible replication but to answer your question, AAAAAAC There is no mechanism to implement anything according to the concept of variable or equal to the passage of the rail near Mongoose and Nokdub.
No comments:
Post a Comment