Skip to main content

Cursor Pagination (fromId) & NoSQL Injection Fix

Version: 1.6.0 Date: 2026-03-04

Goal: Fix broken cursor-based pagination and close a NoSQL injection vulnerability in the query filter middleware.

Solution: Rewrite filterEntitiesFromId with proper ObjectId-based sorting and comparison, add limit support. Harden createFilterEntities with key whitelisting and operator sanitization.

Features:

  • Cursor pagination now sorts by _id and compares IDs directly (no more reliance on created field)
  • New ?limit=N query parameter for pagination
  • No more silent empty response when fromId doesn't match
  • Query filter restricted to whitelisted keys only
  • MongoDB operators ($ne, $where, etc.) stripped from filter values

Implementation Details:

  • filterEntitiesFromId: sort by _id, direct string comparison on ObjectId, limit via slice
  • createFilterEntities: ALLOWED_FILTER_KEYS whitelist, sanitizeValue() strips $-prefixed keys, rejects unrecognized value shapes

Files Modified:

  • app/middleware/filterEntitiesFromId.js - Rewritten pagination logic with sort, fromId comparison, limit
  • app/middleware/createFilterEntities.js - Added whitelist and sanitization against NoSQL injection