Security of session tokens: a [$gt] injection vulnerability

The way Mongo adapters normally work is you pass something like {token: params.token} but in many languages it’s easy to pass {$gt: 1} or [$gt]=1 and bypass this protection.

Very recent example: Information disclosure in parse-server · CVE-2020-5251 · GitHub Advisory Database · GitHub and I’ve seen much more personally during security audits.

We managed to fixed it in sequelize (Hash injection (security) · Issue #7310 · sequelize/sequelize · GitHub), but I believe it’s better to fix it once and for all in main mongo adapters.

Solution: change the format of keys to something that cannot be crafted from JSON user input, e.g. sequelize now uses []: 1