Fix definition of createChangeStream "options" arg

Modify the remoting metadata for the "options" argument to use the new `http: 'optionsFromRequest'` mapping. The old configuration, where the clients could set arbitrary "options", opened a security vulnerability because with "optionsFromReqest" in place in other PersistedModel methods, users are expecting that "ctx.options" provided by Operation hooks is always created server-side and cannot be tampered by clients.
2017-01-03 17:40:38 +01:00 · 2017-01-03 17:40:38 +01:00 · 5b6ceff8d9
parent 3946462828
commit 5b6ceff8d9
2 changed files with 7 additions and 9 deletions
--- a/lib/persisted-model.js
+++ b/lib/persisted-model.js
@ -993,15 +993,8 @@ module.exports = function(registry) {
        {verb: 'post', path: '/change-stream'},
        {verb: 'get', path: '/change-stream'},
      ],
-      accepts: {
-        arg: 'options',
-        type: 'object',
-      },
-      returns: {
-        arg: 'changes',
-        type: 'ReadableStream',
-        json: true,
-      },
+      accepts: {arg: 'options', type: 'object', http: 'optionsFromRequest'},
+      returns: {arg: 'changes', type: 'ReadableStream', json: true},
    });
  };

--- a/test/context-options.test.js
+++ b/test/context-options.test.js
@ -114,6 +114,11 @@ describe('OptionsFromRemotingContext', function() {
      return request.get('/products/count').expect(200)
        .then(expectInjectedOptions);
    });
+
+    it('injects options to createChangeStream()', function() {
+      return request.get('/products/change-stream').expect(200)
+        .then(expectInjectedOptions);
+    });
  });

  context('when invoking prototype methods', function() {