You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/04/20 21:17:43 UTC
[GitHub] in1723 opened a new issue #85: db.view mutates qs parameter by
deleteing keys property
in1723 opened a new issue #85: db.view mutates qs parameter by deleteing keys property
URL: https://github.com/apache/couchdb-nano/issues/85
<!--- Provide a general summary of the issue in the Title above -->
When db.view method is called with keys options (typical for restricting the data from a view), the qs parameter is mutated and keys property is deleted.
If a user tries to pass the same arguments in the next call (e.g. to retry a failed request), the view is queried without the keys and may return data that was not expected.
## Expected Behavior
<!--- If you're describing a bug, tell us what should happen -->
<!--- If you're suggesting a change/improvement, tell us how it should work -->
db.view method should not mutate the qs parameter, allowing for another call with the same parameters object.
## Current Behavior
<!--- If describing a bug, tell us what happens instead of the expected behavior -->
<!--- If suggesting a change/improvement, explain the difference from current behavior -->
qs.keys is deleted
## Possible Solution
<!--- Not obligatory, but suggest a fix/reason for the bug, -->
<!--- or ideas how to implement the addition or change -->
Do not delete qs.keys at [nano.js:578](https://github.com/apache/couchdb-nano/blob/bdea4b6019dc8b0c1ad1f09b01dd4d6b6332988d/lib/nano.js#L578)
Pass a clone of the qs object in [nano.js:583](https://github.com/apache/couchdb-nano/blob/bdea4b6019dc8b0c1ad1f09b01dd4d6b6332988d/lib/nano.js#L583)
## Steps to Reproduce (for bugs)
<!--- Provide a link to a live example, or an unambiguous set of steps to -->
<!--- reproduce this bug. Include code to reproduce, if relevant -->
1. Define a sample view - assuming design doc 'users' and view 'view-by-uid' with key 'uid'
2. Query the view with a retry:
```javascript
var db = require('nano')(DB_URL).use('mydb');
function queryUsers(params, callback) {
db.view('users', 'view-by-uid', params, function(err, body) {
if (!err) {
callback(null, body);
} else {
// Retry
db.view('users', 'view-by-uid', params, function(err, body) {
if (!err) {
callback(null, body);
} else {
callback(err);
}
});
}
})
}
queryUsers({
keys: ["current-user-uid"],
function(err, result) {
console.log(result);
});
```
If the first call fails because of a network connection or a timeout, the retry will be called with no keys passed to the db.view method.
## Context
<!--- How has this issue affected you? What are you trying to accomplish? -->
<!--- Providing context helps us come up with a solution that is most useful in the real world -->
Implementing a generic DB layer in an app usually involves some common functions wrapping up the nano call with extra logging and error handling. The mutation of the method parameters in db.view is not quite expected and can lead to serious flaws in the client application.
While the issue is not technically a defect, it may help avoid leading to real vulnerabilities in client applications.
## Your Environment
<!--- Include as many relevant details about the environment you experienced the bug in -->
* Version used: 6.1.5
* Operating System and version: Node.js 4.x on Linux / Ubuntu 16.04
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services