{example: /regex/} and {example: {$eq: /regex/}} do not mean the same thing

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Query Language
    • Query Optimization
    • ALL
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Adding a $eq should not have an impact on the meaning of the query, and generally it does not. {a: 4} is the same query as {a: {$eq: 4}}. Regexes are the exception to this, where {a: /regex/} will match either a stored regex type which is identical or a string which matches the regex. {a: {$eq: /regex/}} will only match stored regexes. This makes it harder to generally reason about the language. It makes it harder to write generic query analysis, parsing, or transformations - leading to special cases such as this one in $lookup

      This also complicates recommendations for avoiding "MQL injections" by adding an explicit $eq to your application's generated queries. An "MQL injection" might happen if your application issues a query {field: <value selected by user>} and a malicious user inputs a value like {$gt: 4} instead of an expected constant. Using an explicit $eq would prevent the user from being able to change the query.

              Assignee:
              [DO NOT USE] Backlog - Query Optimization
              Reporter:
              Charlie Swanson
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: