From 319d7b3cdc4849dd166ddaa0ea5fddf20713ab71 Mon Sep 17 00:00:00 2001 From: Pete Corey Date: Mon, 10 Apr 2017 17:05:15 -0400 Subject: [PATCH] NoSQL Injection Fix Tighened up checking of `alertInfo` in the 'alerts.create' method. --- kadira-ui/server/methods/alerts.js | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/kadira-ui/server/methods/alerts.js b/kadira-ui/server/methods/alerts.js index 3145c34..9a81af6 100644 --- a/kadira-ui/server/methods/alerts.js +++ b/kadira-ui/server/methods/alerts.js @@ -1,6 +1,13 @@ Meteor.methods({ "alerts.create": function(alertInfo) { - check(alertInfo, Match.Any); + check(alertInfo, Match.ObjectIncluding({ + meta: { + appId: String + }, + rule: { + duration: Number + } + })); alertInfo.meta.enabled = true; setAppName(alertInfo); @@ -81,4 +88,4 @@ function setAppName(alertsInfo) { var appId = alertsInfo.meta.appId; var app = Apps.findOne(appId); alertsInfo.meta.appName = app.name; -} \ No newline at end of file +}