Publications + Check errors, without killing meteor

ggerber · December 7, 2018, 2:35pm

Hi,

The meteor documentation shows how to use check within a publication (see example below).
However, it is my understanding that if the check fails an error is thrown which can kill the nodejs process. This is a super easy way to attack a meteor app. Just send arguments to a publication that does not pass check.

So how do you properly use check in a publication?
E.g. If a malicious user sends roomId of type number, check will throw an error, killing meteor.

Meteor.publish('roomAndMessages', function (roomId) {
  check(roomId, String);

  return [
    Rooms.find({ _id: roomId }, {
      fields: { secretInfo: 0 }
    }),
    Messages.find({ roomId })
  ];
});

Is this a robust approach to use check, without killing your app?:

Meteor.publish('roomAndMessages', function (roomId) {
  try {
  check(roomId, String);

  return [
    Rooms.find({ _id: roomId }, {
      fields: { secretInfo: 0 }
    }),
    Messages.find({ roomId })
  ];
  } catch (e) {
    this.error(e);
    this.ready();
  }
});

robfallows · December 7, 2018, 3:08pm

The node process isn’t killed by match. If you do nothing to catch the error, it’s sent to the client as a Meteor.Error(400, 'Match Failed').

If you choose to catch the error yourself, you can do what you want with it.

ggerber · December 8, 2018, 5:07am

Noted, thank you Rob