reject unsafe mongo query operators (backport 24.05)

[ar2rsawseen]

Backport of #7694 to release.24.05.

Validate user-supplied Mongo queries at the API boundary instead of stripping operators in place.

• Allow $expr; reject $where / $function / $accumulator at any depth (incl. nested inside $expr).
• Queries are never modified — a request runs exactly as submitted or returns 400.
• Adds common.parseUserQuery / common.findUnsafeMongoOperator / common.reqInfo; validation applied at the endpoints that accept a query, with rejection logged at the call site (endpoint in the message).
• Near-total /i/app_users/delete guard: force still allowed, but matching ~all users requires confirm_delete_all=true.

Cherry-picked cleanly onto release.24.05 (only the root CLAUDE.md, which doesn't exist on this branch, was dropped). Unit tests included.

Companion (lockstep): Countly/countly-enterprise-plugins backport branch backport/reject-unsafe-query-operators-24.05.

[Copilot]

Pull request overview

This PR backports the “reject unsafe mongo query operators” hardening to release.24.05 by moving validation to API boundaries (rejecting requests) instead of mutating user-supplied Mongo queries in-place, while also adding a safety net for near-total /i/app_users/delete operations.

Changes:

• Introduces common.findUnsafeMongoOperator, common.parseUserQuery, and common.reqInfo, and replaces prior “strip” behavior with request rejection (400) at multiple endpoints.
• Updates multiple plugins/endpoints to validate user-supplied query/filter JSON and log rejections with endpoint context.
• Adds an extra guard for /i/app_users/delete when force deletes would match nearly all users, requiring confirm_delete_all=true.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
test/unit-tests/api.utils.common.js	Adds unit coverage for findUnsafeMongoOperator and parseUserQuery.
plugins/systemlogs/api/api.js	Parses + validates query via parseUserQuery and rejects invalid/unsafe queries.
plugins/remote-config/api/api.js	Rejects configs/conditions containing unsafe operators before storing/dispatching.
plugins/push/api/legacy.js	Validates userConditions/drillConditions for unsafe operators in legacy push validation.
plugins/push/api/api-tx.js	Validates request-supplied tx filters for unsafe operators before dispatching.
plugins/push/api/api-message.js	Validates message filter queries for unsafe operators during message validation.
plugins/logger/api/api.js	Validates filter via parseUserQuery and rejects unsafe queries in logs fetch endpoint.
plugins/dbviewer/api/api.js	Rejects unsafe operators in user-supplied dbviewer filter/sort (post-EJSON parse).
plugins/crashes/api/api.js	Validates crashes query param via parseUserQuery and rejects unsafe queries.
plugins/compliance-hub/api/api.js	Validates compliance-hub query inputs via parseUserQuery at multiple endpoints.
api/utils/requestProcessor.js	Uses parseUserQuery for /i/app_users/* query inputs and adds near-total force-delete guard.
api/utils/common.js	Replaces stripping helper with operator detection + query parsing/validation + log-safe request context helper.
api/parts/mgmt/cms.js	Validates CMS query via parseUserQuery and rejects invalid/unsafe queries.
api/parts/mgmt/app_users.js	Removes in-place stripping in mgmt app_users methods (relying on boundary validation).
api/parts/data/fetch.js	Validates filter via parseUserQuery for fetchAllApps.
api/parts/data/exports.js	Rejects unsafe operators in export queries before preprocess + DB find.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.