want to expose a collection GET API, say GET /api/endpoint/collection?query=<…>&options=<…>. I need to support any arbitrary query and options that is supported by the underlying MongoDB. My purpose is to provide a REST API wrapper proxy for the collections. That’s all.
So instead of manually processing every query and options, we just want to take the whole JSON objects in the query and options in the GET and pass it to the find(query, options) or findOne(query, options) as-is. [FYI: Aggregation is not considered as of now.]
Now naturally the script injection is something needs to be considered.
The understanding here is:
- We can still pass the pure JSON (i.e. we need not to convert it to BSON by someway). As Mongo stores data at disk and transit data over network in BSON format, so it’s safe.
- Still we need to check the presence of a few operators in both the query and the fields of type object in the options as mentioned in Mongo FAQ.
Are the above understanding correct?
Or we need to first check the forbidden operators, if they do not present then explicitly BSON-ified the query and options before passing it to the find/findOne.