Injection prevention #1400
Description
Hello, I was expecting MongoEngine to help developers to prevent injection vulnerabilities.
class User(Document):
name = StringField()
# assume this is controller for HTTP request
def get_users_by_name(request):
# assume that request.json is {'name': {'$gt': ''}}
q = User.objects(name=request.json['name'])
print(q._query) # this would change original query structure to {'name': {'$gt': ''}}
return list(q)Expecting MongoEngine to not allow such behavior, because ORM's for SQL usually prevent most injection vectors. Let me know your opinion on it.