Mongoose Blank Query finds all, but specific query fails

Question

I am writing a small server with express, mongo and mongoose. My code:

    const express = require('express');
    const MongoClient = require('mongodb').MongoClient
    const mongoose = require('mongoose');

    const COLOURS = ["e6194b", "3cb44b", "ffe119", "0082c8", "f58231", "911eb4", "46f0f0", "d2f53c", "fabebe", "e6beff"];

    var url = 'mongodb://localhost:27017/test';
    mongoose.connect(url);

    var app = express();

    var db = mongoose.connection;
    db.on('error', console.error.bind(console, 'connection error:'));
    db.once('open', function() {
        console.log('Database connected and open');
    });

    var deviceSchema = mongoose.Schema({
        mac: String,
        ip: String,
        colourIndex: Number
    });
    var Device = mongoose.model('Device', deviceSchema);

    app.get('/register', function (req, res) {
        console.log("Registration: ");
        console.log("    MAC: " + req.query.mac);
        console.log("    IP : " + req.query.ip);
        Device.find({ mac: /req.query.mac/ }, function(err, deviceList) {
            if (err || deviceList.length == 0) {
                console.log("  Cannot find " + req.query.mac + ": " + err);
                Device.count({ mac: /req.query.mac/ }, function( err, count){
                    var index = count;
                    console.log("There are " + count + " matching");
                    var device = new Device({ mac: req.query.mac, ip: req.query.ip, colourIndex: index });
//                  device.save(function (err, device) {
//                      if (err) {
//                          res.status(500).send("Internal error");
//                          return console.error(err);
//                      }
//                      res.status(202).send(COLOURS[index]);
//                  });
                    res.status(202).send(COLOURS[0]);
                });
            } else {
                console.log(deviceList);
                res.status(202).send("Success");      
                console.log("  Colour index: %s", deviceList[0].colourIndex);
            }
        });
    });

When I try to use mac: /req.query.mac/ to find the device, it fails EVERY time. If I leave it blank, it does return the devices (I added duplicates to check with the commented out code).

I have tried looking at the documentation and stack overflow

While the answer may match, I do feel that people in my position won't even know how to begin asking the question. — Quintin Balsdon, Sep 02 '17 at 22:56

robertklep · Accepted Answer · 2017-09-02T19:08:17.667

The /.../ notation doesn't expand variables into their values, so you are literally searching for the string req.query.mac (although . will match any character).

You need to create a regular expression instance from the variable's value, which you can do using the RegExp constructor:

Device.find({ mac: new RegExp(req.query.mac) }, ...)

(and similarly for Device.count())

It's advisable to use a module like escape-string-regexp to properly escape the string first, given that it's external input (req.query.mac may contains characters that have special meaning in regular expression patterns, and some patterns may be abused to cause a denial-of-service attack):

const escapeStringRegexp = require('escape-string-regexp');
...
Device.find({ mac: new RegExp(escapeStringRegexp(req.query.mac)) }, ...)

Thanks, I would never have figured that out :( – Quintin Balsdon Sep 02 '17 at 20:26 — Quintin Balsdon, Sep 02 '17 at 20:26

Mongoose Blank Query finds all, but specific query fails

1 Answers1