restheart 2 - Aggregation error

Question

We have an aggregation operation that worked in restheart 1.1.0 but now it doesn't in 2.0.2. We have been using variables in the aggregation operation in order to handle dynamic code generation. Below is a simple example. Is there a workaround for this issue?

Here is the aggregation operation:

 {
      "type" : "pipeline", 
      "uri" : "agg_companies", 
      "stages" : [
          {
              "_$match" : {
                  "_$var" : "filter_query"
              }
          }, 
          {
              "_$group" : {
                  "_id" : "$organization._id", 
                  "name" : {
                      "_$first" : "$organization.name"
                  }
              }
          }, 
          {
              "_$sort" : {
                  "name" : NumberInt(1)
              }
          }
      ]
  }

I'm making a request to the aggregation using node with the following:

This works:

var avars = {filter_query: {travelerLastName: "Brewer"}};

This fails:

var avars = {filter_query: {travelerLastName: {$and: ["Brewer"]}}};

Error:

{ "_links" : { "self" : { "href" : "/foresiteamo/flight/_aggrs/agg_companies2"}} , "http status code" : 400 , "http status description" : "Bad Request" , "message" : "illegal avars paramenter: {\'filter_query\':{\'travelerLastName\':{\'$and\':[\'Brewer\']}}}" , "_embedded" : { "rh:exception" : [ { "exception" : "java.lang.SecurityException" , "exception message" : "aggregation variables cannot include operators"}]}}

score 0 · Answer 1 · answered Oct 05 '16 at 17:07

RESTHeart does not allow the avars to include operators (any key that starts with $).

this is by design to avoid the client to inject logic into the aggregation and eventually modifying it.

Think about the $lookup operator that might be used to snoop restricted data...

restheart 2 - Aggregation error

1 Answers1