I think the issue is that the client code is running actual database queries on ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

toomim on July 4, 2015 | parent | context | favorite | on: Render realtime RethinkDB results in React

I think the issue is that the client code is running actual database queries on the server, and I don't see any restrictions on what queries can be executed.

So if you log in and authenticate (through that file), it seems like you can just open the javascript console in chrome and run any type of db query you want.

mikemintz on July 4, 2015 [–]

DB queries are validated through a whitelist on the server, so it should be impossible to run an unauthorized query when it's locked down. E.g. https://github.com/mikemintz/react-rethinkdb/blob/master/exa...

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact