(filter: string)
| 62 | } |
| 63 | |
| 64 | export function validateFilter(filter: string): { isValid: boolean; error?: string } { |
| 65 | try { |
| 66 | const parsed = JSON.parse(filter) |
| 67 | |
| 68 | const dangerousOperators = [ |
| 69 | '$where', // Executes arbitrary JavaScript |
| 70 | '$regex', // Can cause ReDoS attacks |
| 71 | '$expr', // Expression evaluation |
| 72 | '$function', // Custom JavaScript functions |
| 73 | '$accumulator', // Custom JavaScript accumulators |
| 74 | '$let', // Variable definitions that could be exploited |
| 75 | ] |
| 76 | |
| 77 | if (containsDangerousOperator(parsed, dangerousOperators)) { |
| 78 | return { |
| 79 | isValid: false, |
| 80 | error: 'Filter contains potentially dangerous operators', |
| 81 | } |
| 82 | } |
| 83 | |
| 84 | return { isValid: true } |
| 85 | } catch (error) { |
| 86 | return { |
| 87 | isValid: false, |
| 88 | error: 'Invalid JSON format in filter', |
| 89 | } |
| 90 | } |
| 91 | } |
| 92 | |
| 93 | export function validatePipeline(pipeline: string): { isValid: boolean; error?: string } { |
| 94 | try { |
no test coverage detected