(pipeline: string)
| 91 | } |
| 92 | |
| 93 | export function validatePipeline(pipeline: string): { isValid: boolean; error?: string } { |
| 94 | try { |
| 95 | const parsed = JSON.parse(pipeline) |
| 96 | |
| 97 | if (!Array.isArray(parsed)) { |
| 98 | return { |
| 99 | isValid: false, |
| 100 | error: 'Pipeline must be an array', |
| 101 | } |
| 102 | } |
| 103 | |
| 104 | const dangerousOperators = [ |
| 105 | '$where', // Executes arbitrary JavaScript |
| 106 | '$function', // Custom JavaScript functions |
| 107 | '$accumulator', // Custom JavaScript accumulators |
| 108 | '$let', // Variable definitions that could be exploited |
| 109 | '$merge', // Writes to external collections |
| 110 | '$out', // Writes to external collections |
| 111 | '$currentOp', // Exposes system operation info |
| 112 | '$listSessions', // Exposes session info |
| 113 | '$listLocalSessions', // Exposes local session info |
| 114 | ] |
| 115 | |
| 116 | for (const stage of parsed) { |
| 117 | if (containsDangerousOperator(stage, dangerousOperators)) { |
| 118 | return { |
| 119 | isValid: false, |
| 120 | error: 'Pipeline contains potentially dangerous operators', |
| 121 | } |
| 122 | } |
| 123 | } |
| 124 | |
| 125 | return { isValid: true } |
| 126 | } catch (error) { |
| 127 | return { |
| 128 | isValid: false, |
| 129 | error: 'Invalid JSON format in pipeline', |
| 130 | } |
| 131 | } |
| 132 | } |
| 133 | |
| 134 | export function sanitizeCollectionName(name: string): string { |
| 135 | if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name)) { |
no test coverage detected