GSoC 2015 Week10

This is just another week about bug-fixing and html template convertion, same trivial stuff like usual.

I was mainly working on getting OAuth module updated, during which I found out that I’ve made a bunch of big mistakes last year and my code wasn’t deployed… It took a lot of time for me to review the OAuth2 protocol and the packages we were using. I kind of just rewrote what Elliott had written in another superficially different style without thorough understanding of the tools and protocol I was using that time, and hence bugs were left. It was all the fault of laziness and should be prevented in future.

Anyway, the logic has been rewrittened with more careful examination and a functional test, which utilizes request to imitate HTTP requests and cheerio to manipulate HTML document in server side, has been added.

A Severe Potential Bug

While I was doing the testing, I found out a potential danger of Mongoose searching. Usaully we do searching like Model.find(conditions) where conditions is a Object containing (key: value) pairs that we want our documents to match. However, if some value is undefined, that pair will be ignored.

A very bad example:

I want to search {foo: bar}, however, as bar is undefined it turns into Model.find({}), which will return every existing document of that collection.

What a terrible thing! You can’t be careful enough to do the DB querys, and I’m filtering the Dashboard now. There is better none of this potential vulnerabilities.