Meteor Dev Tool mark users update insecure ?? #63
Comments
|
Im running into the same issues, all collections turn up green except the users collection update but i cannot find any evidence that this is actually true. |
|
Thanks for reporting this, guys. I am gonna take a look at this. @koetheq please don't get too anxious about this - looks like a bug in the tool 🌵 |
|
+1 |
1 similar comment
|
+1 |
|
|
+1 |
1 similar comment
|
+1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I like the Meteor Dev Tool. It helps me a lot in development. But the audit tool in MeteorDevTool mark my app insecure.
In my app, there is no allow/deny rules as recommended by meteor guide. And all user insert/update/remove are done through meteor method. check, audit-arguments-checks package are used, all argument check before execute. But when open MeteorDevTool =>security=>collections, click audit button of users collection, it still gives me a red update insecure message.
I read the article about how meteor dev tool determine a collection op is insecure, http://blog.thebakery.io/introducing-a-secury-auditor-to-meteor-devtools/, it says it will mark insecure if got an error other than 403... and says 'This means that some collections might be labeled as insecure even though the appropriate Allow/Deny rules have been setup and they present no immediate vulnerability.'
But this 'insecure' message makes developer and manager really scared . Therefore, I dig it further..
I looked into the DDP log and found the user update throws 400 Match Error instead of 403.
And the test is update with argument _{id:"invalid_id}
And in server console, such update op will throw an exception: Exception while invoking method '/users/update' Error: Match error: Expected object, got undefined
at exports.check (packages/check.js:57:15) ...
I tried some test method:
_Meteor.call('users/update', ({id:"invalid_id} )
==> throw 400 Match error (it will be marked as insecure by meteorDevTool)
_Meteor.call('users/update', ({id:"invalid_id},{})
==> throw 403 error ( it will be marked as secure by MeteorDevTool)
I tried tried similar update test direct to mongo in Robomongo:
_db.getCollection('users').update({'id':'invalid_id'} )
==> throw syntax exception
Error: need an object :
_DBCollection.prototype.parseUpdate@src/mongo/shell/collection.js:428:1
DBCollection.prototype.update@src/mongo/shell/collection.js:460:18
_db.getCollection('users').update({'id':'invalid_id'},{}})
==> pass: Updated 0 record(s) in 1ms ( no access check in Romomongo)
My impression:
The arguments for updating Meteor.users not allow only _id but no other field
If I am wrong, please enlighten me.
If I am right, could the MeteorDevTool could consider add some more dummy arguments to avoid wrongly insecure which scares us.
And also the collection meteor_autoupdate_clientVersions which is mark insecure for all insert/update/remove, even in a very simple app (a app created by 'meteor create app' and removed insecure, autopublish). What does that mean? what should we do?
Thanks!
Quan
The text was updated successfully, but these errors were encountered: