From 5b6ceff8d982ad509f72fa70944a7906a95ced5f Mon Sep 17 00:00:00 2001 From: Bram Kleinhout Date: Tue, 3 Jan 2017 17:40:38 +0100 Subject: [PATCH] Fix definition of createChangeStream "options" arg Modify the remoting metadata for the "options" argument to use the new `http: 'optionsFromRequest'` mapping. The old configuration, where the clients could set arbitrary "options", opened a security vulnerability because with "optionsFromReqest" in place in other PersistedModel methods, users are expecting that "ctx.options" provided by Operation hooks is always created server-side and cannot be tampered by clients. --- lib/persisted-model.js | 11 ++--------- test/context-options.test.js | 5 +++++ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/lib/persisted-model.js b/lib/persisted-model.js index df52fad7..2158a3b3 100644 --- a/lib/persisted-model.js +++ b/lib/persisted-model.js @@ -993,15 +993,8 @@ module.exports = function(registry) { {verb: 'post', path: '/change-stream'}, {verb: 'get', path: '/change-stream'}, ], - accepts: { - arg: 'options', - type: 'object', - }, - returns: { - arg: 'changes', - type: 'ReadableStream', - json: true, - }, + accepts: {arg: 'options', type: 'object', http: 'optionsFromRequest'}, + returns: {arg: 'changes', type: 'ReadableStream', json: true}, }); }; diff --git a/test/context-options.test.js b/test/context-options.test.js index 99a159c4..df5a7a27 100644 --- a/test/context-options.test.js +++ b/test/context-options.test.js @@ -114,6 +114,11 @@ describe('OptionsFromRemotingContext', function() { return request.get('/products/count').expect(200) .then(expectInjectedOptions); }); + + it('injects options to createChangeStream()', function() { + return request.get('/products/change-stream').expect(200) + .then(expectInjectedOptions); + }); }); context('when invoking prototype methods', function() {