$where and Javascript Server-side Code Injection #403
Description
Description/Steps to reproduce
MongoDB $where operator allows the execution of Javascript code for greater flexibility. This can be a security problem since this connector allows the $where operator to be defined on every filter param exposed by loopback and by doing so exposing the $where filter to the public.
This is valid for every model that extends PersistedModel since the usual CRUD endpoint are created with the filter query param for every GET request.
Something like this:
GET /api/brands?filter={"where": {"$where": "if(typeof fzzzuvz==='undefined'){var a=new Date();do{var b=new Date();}while(b-a<5000);fzzzuvz=1;}"}}
Allows everyone to delay their request by 5 seconds. Other versions can even cause infinite loop (more information on here
As a workaround we can disable javascript evaluation in the $where operator on the database it self (here) but we lose this functionality on the server as well.
A better solution would be that these operators are parsed or not exposed on the endpoints. This way they remain useful on the API side but disabled from the outside