From 4fc2d7ae7021355c1531847acd2e7ccea20dc607 Mon Sep 17 00:00:00 2001
From: Petr Jasek <jasekpetr@gmail.com>
Date: Thu, 2 Nov 2023 10:29:46 +0100
Subject: [PATCH] avoid $where mongodb query

which can be used to get sensitive info

SDESK-7092
---
 features/user.feature         | 13 +++++++++++++
 superdesk/default_settings.py |  6 ++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/features/user.feature b/features/user.feature
index 77cd75f85f..aa7affa5cc 100644
--- a/features/user.feature
+++ b/features/user.feature
@@ -568,3 +568,16 @@ Feature: User Resource
         """
         {}
         """
+
+    @auth
+    Scenario: Restrict queries using $where
+    Given "users"
+    """
+    [
+        {"username": "test", "password": "test"}
+    ]
+    """
+
+    When we get "users?where={"username": "test", "$where": "this.password[0] == '$'"}"
+    Then we get error 400
+ 
\ No newline at end of file
diff --git a/superdesk/default_settings.py b/superdesk/default_settings.py
index 88a270ecd4..d7b7fcd239 100644
--- a/superdesk/default_settings.py
+++ b/superdesk/default_settings.py
@@ -183,8 +183,10 @@ def local_to_utc_hour(hour):
 #: full mongodb connection uri, overrides ``MONGO_DBNAME`` if set
 MONGO_URI = env("MONGO_URI", "mongodb://localhost/%s" % MONGO_DBNAME)
 
-#: allow all mongo queries
-MONGO_QUERY_BLACKLIST = []
+#: don't allow js mongo queries which can be used to leak sensitive info
+#:
+#: More info in `SDESK-7092<https://sofab.atlassian.net/browse/SDESK-7092>`_.
+MONGO_QUERY_BLACKLIST = ["$where", "$expr"]
 
 MONGO_LOCALE = "en_US"