Feathers: [Security] Querying $limit=null

Created on 7 Oct 2019  路  4Comments  路  Source: feathersjs/feathers

Steps to reproduce

Do HTTP request to any service with parameter $limit=null. This allow to users request data without limit. This happen with a value equal to null or any string.

Expected behavior

Add validation for not allow to externals request to access to unlimited data with $limit value different to a number.

Actual behavior

It allow to users access without limit, bypassing paginate.max value in default.json and causes an overload in server.

picture matiaslopezd

Most helpful comment

And I thought I knew many of JavaScript's weird quirks but this one threw me off, too:

Math.min(10, NaN) === NaN // false
Math.max(10, NaN) === NaN // false

Thanks for contributing and thanks again for the catch @matiaslopezd - the fix has been released in all db adapters with a deprecation notice.

picture daffl on 8 Oct 2019
2

All 4 comments

Well crap, today I learned that Math.min(10, NaN) is actually NaN. Fix in #1607 will return the default pagination instead.

daffl picture daffl on 7 Oct 2019
2

@daffl Great!! I love when we can contribute and the community still active in the years!

I contributed in opencollective with very small budget but soon I'll be able to more :smile:

matiaslopezd picture matiaslopezd on 7 Oct 2019

Also:

Math.max(10, NaN) // NaN
bertho-zero picture bertho-zero on 8 Oct 2019

And I thought I knew many of JavaScript's weird quirks but this one threw me off, too:

Math.min(10, NaN) === NaN // false
Math.max(10, NaN) === NaN // false

Thanks for contributing and thanks again for the catch @matiaslopezd - the fix has been released in all db adapters with a deprecation notice.

daffl picture daffl on 8 Oct 2019
2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

harrytang picture harrytang  路  3Comments
arve0 picture arve0  路  4Comments
corymsmith picture corymsmith  路  4Comments
davigmacode picture davigmacode  路  3Comments
huytran0605 picture huytran0605  路  3Comments