From f73930ca4ff315f9faf1888b92e9402728cb662f Mon Sep 17 00:00:00 2001
From: Zeroday BYTE <github@zerodaysec.org>
Date: Wed, 11 Jun 2025 16:36:06 +0700
Subject: [PATCH] Update route.ts

---
 .../app/api/mongodb-playground/route.ts         | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/apps/mongostory/app/api/mongodb-playground/route.ts b/apps/mongostory/app/api/mongodb-playground/route.ts
index abfa48d..0ed1137 100644
--- a/apps/mongostory/app/api/mongodb-playground/route.ts
+++ b/apps/mongostory/app/api/mongodb-playground/route.ts
@@ -14,11 +14,18 @@ export async function POST(req: Request) {
     const client = await clientPromise
     const db = client.db("mongostory")
 
-    // Execute the query in a safe sandbox environment
-    const result = await eval(`(async () => {
-      const db = client.db("mongostory")
-      return ${query}
-    })()`)
+    // Validate and execute the query securely
+    if (typeof query !== "object" || query === null) {
+      throw new Error("Invalid query format. Query must be a non-null object.");
+    }
+
+    // Example: Allow only find operations with specific constraints
+    if (!query.collection || !query.filter || typeof query.collection !== "string" || typeof query.filter !== "object") {
+      throw new Error("Invalid query structure. Must include 'collection' (string) and 'filter' (object).");
+    }
+
+    const collection = db.collection(query.collection);
+    const result = await collection.find(query.filter).toArray();
 
     return NextResponse.json({
       success: true,